Welcome
Configuration Guide
Learn how to configure BigFix according to your needs.
Additional configuration steps
These topics explain additional configuration steps that you can run in your environment.
Managing Downloads
BigFix uses several methods to ensure that downloads are efficient and make the best use of available bandwidth. Among other techniques, caching is used extensively by all the BigFix elements, including servers, relays, and clients.
Dynamic download White-lists
Dynamic downloading extends the flexibility of action scripts, adding the ability to use relevance clauses to specify URLs.

BigFix Documentation Homepage
BigFix 11 Platform Documentation
Welcome to the BigFix Platform documentation, where you can find information about how to install, maintain, and use BigFix.
Detailed system requirements
The content of this page has moved to the HCL Support site. You will be redirected shortly. If the auto-redirect fails for some reason, use this link: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104120.
Platform guides in PDF format
Following is a list of links to the BigFix Platform user guides in PDF format:
Common Criteria Certification
BigFix 10.0.1.41 complies with the requirements of the standard ISO/IEC 15408 (Common Criteria) v. 3.1 for the assurance level: EAL2
Getting Started
Use this section to become familiar with BigFix infrastructure and key concepts necessary to understand how it works.
HTTPS across BigFix applications
This topic describes how the SSL/HTTPS communication works in BigFix applications and links the tasks on how to configure it.
Installation Guide
Learn the system requirements, licensing and installation instructions, and how to configure and maintain BigFix.
Configuration Guide
Learn how to configure BigFix according to your needs.
- Introduction
  This guide explains additional configuration steps that you can run in your environment after installation.
- BigFix Site Administrator and Console Operators
  In BigFix there are two basic classes of users.
- Integrating with LDAP or Microsoft Entra ID
  You can add Identity Providers associations to BigFix.
- Enabling SAML V2.0 authentication for identity provider operators
  BigFix supports SAML V2.0 authentication via LDAP-backed SAML identity providers.
- Disabling local operators
  Starting from BigFix Version 10.0.8, this feature provides a mechanism where the creation and use of any local operator is prohibited in favor of LDAP-based operators.
- Using multiple servers (DSA)
  Some important elements of multiple server installations.
- Server object IDs
  The BigFix server generates unique ids for the objects that it creates: Fixlets, tasks, baselines, properties, analysis, actions, roles, custom sites, computer groups, management rights, subscriptions.
- Customizing HTTPS for Gathering
- Using the DHE/ECDHE key exchange method
  By default, BigFixVersion 11 components use the DHE/ECDHE key exchange method if the version of the BigFix component on the other side of the SSL communication allows it.
- Configuring secure communication
- Real Time AV Exclusions
  BigFix Console, Server and Relay components of the architecture perform high volume file operations. This activity is a substantial part of the functionality that these BigFix architecture components provide.
- Downloading files in air-gapped environments
  In air-gapped environments, to download and transfer files to the main BigFix server, use the Airgap utility and the BES Download Cacher utility.
- Getting client information by using BigFix Query
  The BigFix Query feature allows you to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs.
- The Plugin Portal
  The Plugin Portal is a new component introduced in BigFix 10 to help manage cloud devices as well as modern devices such as Windows 10 and MacOS endpoints enrolled to BigFix. For details on modern client management, see Modern Client Management and BigFix Mobile.
- Extending BigFix management capabilities
  BigFix 11 delivers a few significant new functions for enhancing the visibility and management of devices on your network regardless of whether the devices are physical or virtual.
- Persistent connections
  The capability to establish persistent connections was added to the product.
- Relays in DMZ
  The capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).
- Working with PeerNest
  The BigFix Client includes a new feature named PeerNest, that allows to share binary files among Clients located in the same subnet. The feature is available starting from BigFix Version 9.5 Patch 11.
- Archiving Client files on the BigFix Server
  You can collect multiple files from BigFix clients into an archive and move them through the relay system to the server.
- BigFix Configuration Settings
  A number of advanced BigFix configuration settings are available that can give you substantial control over the behavior of the BigFix suite. These options allow you to customize the behavior of the BigFix server, relays, and clients in your network.
- Additional configuration steps
  These topics explain additional configuration steps that you can run in your environment.
  - Installing and configuring the email notification service
    You can use the email notification service to send automatic email notifications to notify you about the completion status of Baselines that you run. To use this notification feature, you must first install the notification service by running a Task. After you have installed the service, you must configure it by running another Task.
  - Configuring FillDB
    The FillDB process runs on the BigFix Server system and is responsible for storing the information returned from the BigFix Agents into the BigFix database.
  - Configuring ODBC data sources
    How to use Open DataBase Connectivity (ODBC) to set up and configure ODBC Data Sources with BigFix.
  - Configuring the number of Web Reports results
    To avoid excessive use of memory when displaying Web Reports results on Explore Computers reports, you can configure the MaxReportResults keyword. This keyword sets the maximum number of rows that can be displayed in a web report. Its default value is 1000000.
  - Managing Daylight Saving Time (DST) for Web Reports
    By default, Web Reports track scheduled activity next attempt times using UTC rather than the local time zone.
  - FIPS 140-2 cryptography overview
    BigFix uses the BigFix Cryptographic Module to perform cryptographic functions throughout its environment.
  - Managing Client Encryption
    Server and relay-bound communications from clients can be encrypted to prevent unauthorized access to sensitive information. To enable it, you must generate a key and provide a value on clients for the setting named _BESClient_Report_Encryption.
  - Message Level Encryption (MLE) Overview
    Message Level Encryption (MLE) allows your Clients to encrypt upstream data using a combination of an RSA public/private key-pair and an AES session key.
  - Changing the Client Icon
    By default, the icon in the upper left corner of the client UI is the BigFix logo.
  - Client UI main actions
    The BigFix Client UI is used to display message boxes to the end users logged on to the client computer (including pre-action messages, action running messages, and restart/shutdown messages).
  - Optimizing the servers
    BigFix operates efficiently, with minimal impact on network resources. However, there might be installations that stretch the recommended configurations, where there are too many clients for the allotted server power.
  - Optimizing the consoles
    To be responsive, the console requires reasonable CPU power, memory, and cache space.
  - Managing Bandwidth
    File downloads consume the bulk of the bandwidth in a typical installation. You can control the bandwidth by throttling, which limits the number of bytes per second.
  - Managing Downloads
    BigFix uses several methods to ensure that downloads are efficient and make the best use of available bandwidth. Among other techniques, caching is used extensively by all the BigFix elements, including servers, relays, and clients.
    - Enabling data pre-cache
      You can specify for each Client if the data to download to run an action must be pre-cached on the Client or not and how.
    - Dynamic download White-lists
      Dynamic downloading extends the flexibility of action scripts, adding the ability to use relevance clauses to specify URLs.
  - Customizing HTTPS for downloads
    This page describes the usage of CA bundles in HTTPS downloads and how to customize them.
  - Creating custom client dashboards
    You can create custom Client Dashboards, similar to those in the console. Dashboards are HTML files with embedded Relevance clauses that can analyze the local computer and print out the current results.
  - Geographically locating clients
    Because clients are often deployed in remote offices, it is useful to create a property that lets the clients report their own location.
  - Locking clients
    You can change the locked status of any BigFix client in the network. This lets you exclude specific computers or groups of computers from the effects of Fixlet actions.
  - Editing the Masthead on Windows systems
    You can change default parameters stored in the masthead by using the BigFix Administration Tool.
  - Editing the Masthead on Linux systems
    To modify the masthead, run the following command as super user.
  - Obfuscating server passwords
    You can replace the passwords on the server with obfuscated passwords, by indicating the type of password that you want to replace and the new password.
  - Modifying Global System Options
    To modify a few basic system defaults, such as the minimum refresh time and the Fixlet visibility, perform the following steps.
  - Extending the BigFix License
    When you first request your action site license, you are issued a license for a specific period of time. Before your license expires, BigFix warns you, giving you sufficient time to renew your license.
  - Re-creating Site Credentials
    Private and public key encryption creates a chain of signing authority from the BigFix root down through the Site Administrator and including each console operator.
  - Creating special custom sites whose name begins with FileOnlyCustomSite
    You might delete special custom sites whose name begins with FileOnlyCustomSite that are generated to propagate files to agents accidentally or purposely, for example, when performing a gather reset. You can recreate them by using the PropagateFiles.exe tool.
  - Configuring Client CPU Utilization
    How to configure the amount of CPU the BigFix client uses on an endpoint machine.
  - Customizing Client UI message strings
    You can customize the Client UI message strings. It is possible to alter the English text output and also to change any of the localizable string translations by using the XLAT files for the Client UI. The Client UI XLAT files default location for a 64-bit machine is C:\Program Files (x86)\BigFix Enterprise\BES Client\BESLib\Reference.
- Migrating the BigFix Server (Windows/MS-SQL)
  This section details the steps and operational procedures necessary for migrating the BigFix Server from existing hardware onto new computer systems.
- Migrating the BigFix Server (Linux)
  This section provides basic information on migrating your BigFix Server from existing Linux hardware onto new systems.
- Migrating the BigFix Server from Windows to Red Hat 9 with SQL Server
  Starting from BigFix Version 11.0.1, you can migrate BigFix Platform from a Windows operating system to a Red Hat 9 operating system with Microsoft SQL Server 2022 Database, both using a local or a remote database.
- Server audit logs
  The BigFix Server generates a server audit log file which contains the access information (login/logout) and information about the actions performed through the Console or the WebUI by the different users.
- List of advanced options
  The following lists show the advanced options.
- Security Configuration Scenarios
  Starting from Version 11, BigFix provides the capability to configure several security options.
- Enabling Microsoft Control Flow Guard on BigFix Server
  Starting from BigFix version 11.0.3, the BigFix Server implements the Microsoft Control Flow Guard (CFG) security feature on Windows systems; the BigFix Server executables:
- Client certificate
  To comply with the modern industry standards, starting from product version 10.0.7, the client certificate of the BigFix Agent will have a validity period of 13 months.
- Client Authentication
  Client Authentication (introduced in version 9) extends the security model used by BigFix to encompass trusted client reports and private messages.
- Maintenance and Troubleshooting
  If you are subscribed to the Patches for Windows site, you can ensure that you have the latest upgrades and patches to your SQL server database servers.
Console Operator's Guide
Learn how to work with the BigFix Console.
Asset Discovery User's Guide
Learn how BigFix Asset Discovery works.
Web Reports Guide
Learn how the Web Reports feature extends the power of BigFix.
BigFix Explorer Guide
Learn how the BigFix Explorer feature extends the power of BigFix.
WebUI User's Guide
Read this guide for an introduction to the WebUI tools, concepts, and terminology.
WebUI Administration Guide
Read this guide for information about installing and administering the WebUI.
Glossary
This glossary provides terms and definitions for the Modern Client Management for BigFix software and products.

Dynamic download White-lists

Dynamic downloading extends the flexibility of action scripts, adding the ability to use relevance clauses to specify URLs.

As with static downloads, dynamic downloads must specify files with the confirmation of a size or sha1. However, the URL, size, and sha1 are allowed to come from a source outside of the action script. This outside source might be a manifest containing a changing list of new downloads. This technique makes it easy to access files that change quickly or on a schedule, such as antivirus or security monitors.

This flexibility entails extra scrutiny. Because any client can use dynamic downloading to request a file, it creates an opportunity for people to use your server to host files indiscriminately. To prevent this, dynamic downloading uses a white-list. Any request to download from a URL (that is not explicitly authorized by use of a literal URL in the action script) must meet one of the criteria specified in a white-list of URLs that is contained in the following file:

On Windows systems:: <Server Install Path>\Mirror Server\Config\DownloadWhitelist.txt
On Linux systems:: <Server Install Path>/Mirror Server/config/DownloadWhitelist.txt

This file contains a newline-separated list of regular expressions using a Perl regex format, such as the following:

http://.*\.site-a\.com/.*
http://software\.site-b\.com/.*
http://download\.site-c\.com/patches/JustThisOneFile\.qfx

The first line is the least restrictive, allowing any file at the entire site-a domain to be downloaded. The second line requires a specific domain host and the third is the most restrictive, limiting the URL to a single file named "JustThisOneFile.qfx". If a requested URL fails to match an entry in the white-list, the download immediately fails with status NotAvailable. A note is made in the relay log containing the URL that failed to pass. An empty or non-existent white-list causes all dynamic downloads to fail. A white-list entry of "*" (dot star) allows any URL to be downloaded.