BigFix 11 Platform Documentation
Welcome to the BigFix Platform documentation, where you can find information about how to install, maintain, and use BigFix.
Detailed system requirements
The content of this page has moved to the HCL Support site. You will be redirected shortly. If the auto-redirect fails for some reason, use this link: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104120.
Platform guides in PDF format
Following is a list of links to the BigFix Platform user guides in PDF format:
Common Criteria Certification
BigFix 10.0.1.41 complies with the requirements of the standard ISO/IEC 15408 (Common Criteria) v. 3.1 for the assurance level: EAL2
Getting Started
Use this section to become familiar with BigFix infrastructure and key concepts necessary to understand how it works.
Introduction
BigFix is a suite of products that provides a fast and intuitive solution for compliance, endpoint, and security management and allows organizations to see and manage physical and virtual endpoints through a single infrastructure, a single console, and a single type of agent.
BigFix Platform
All the BigFix applications run on top of the BigFix platform.
BigFix applications
The BigFix solution comprises several application products that provide consolidated security and operations management, simplified and streamlined endpoint management, while increasing accuracy and productivity.
A sample architecture
A sample architecture helps you to plan your environment.
Types of content
BigFix is based on contents. The generic term of content might represent data to distribute to targets, or instructions to run on targets, or queries to run on targets.
How to identify on which targets to apply content
BigFix helps you identify on which targets to apply content.
A patch management scenario
Follow the steps listed in these topics to learn how to deploy a patch using the Patch Management application on a newly installed BigFix server. All the steps are run from the BigFix console.
HTTPS across BigFix applications
This topic describes how the SSL/HTTPS communication works in BigFix applications and links the tasks on how to configure it.
Installation Guide
Learn the system requirements, licensing and installation instructions, and how to configure and maintain BigFix.
Introduction
BigFix aims to solve the increasingly complex problem of keeping your critical systems updated, compatible, and free of security issues. It uses patented Fixlet technology to identify vulnerable computers in your enterprise. With just a few mouse-clicks you can remediate them across your entire network from a central console.
BigFix Platform Unicode Support Overview
BigFix Platform V11 gathers data from BigFix clients deployed with different code pages and languages. It encodes all data into UTF-8 format, and reports it back to the BigFix server.
Sample deployment scenarios
The following deployment scenarios illustrate some basic configurations taken from actual case studies.
Requirements and assumptions
BigFix runs efficiently using minimal server, network, and client resources.
Types of installation
Before you install the product, decide if you want to do an evaluation or production installation.
Managing licenses
You must obtain a license key before you can install and use BigFix.
Before installing
Before running the installation make sure that you read the following topics and run the requested activities if needed.
Installing on Windows systems
Now that you understand the terms and the administrative roles, you are ready to get authorized and install the programs.
Installing on Linux systems
After understanding the terms and the administrative roles, you are ready to actually get authorized and install the programs.
Installing the clients
Install the BigFix client on every computer in your network that you want to administer, including the computer that is running the console.
BigFix Administration Tool
The BigFix Administration Tool, also called BESAdmin, is the tool we use to perform configuration changes and maintenance operations.
Post-installation configuration steps
After having run the installation, make sure that you read the following topics and run the requested activities if needed.
Managing relays
Relays can significantly improve the performance of your installation.
Introduction to Tiny Core Linux - BigFix Virtual Relay
Follow the step-by-step sequence of operations needed to build the virtual machine, from the downloading of the ISO image to the complete setup and configuration of the BigFix Virtual Relay.
Setting up a proxy connection
If your enterprise uses a proxy to access the Internet, your BigFix environment can use that communication path to gather content from sites.
Running backup and restore
You can schedule periodic backups (typically nightly) of the BigFix server and database files, to reduce the risk of losing productivity or data when a problem occurs by restoring the latest backup.
Upgrading
The steps to upgrade the BigFix Platform.
SQL Server parallelism optimization
The performance of an SQL Server database instance can often be improved by small tweaks. Performance might also be hindered by simple oversights. In fact, some SQL Server parallelism settings have suboptimal default values. Moreover, they have to be re-tuned after an hardware upgrade. Other issues might arise from inadvertent hardware configurations, especially when SQL Server is hosted on a virtual machine (VM).
Known limitations and workarounds
This section describes the known limitations and possible workarounds.
Logging
This section describes the log files associated with the BigFix components.
Uninstalling the BigFix client
To uninstall the BigFix client installed on the various operating systems, see the following sections.
Configuration Guide
Learn how to configure BigFix according to your needs.
Introduction
This guide explains additional configuration steps that you can run in your environment after installation.
BigFix Site Administrator and Console Operators
In BigFix there are two basic classes of users.
Integrating with LDAP or Microsoft Entra ID
You can add Identity Providers associations to BigFix.
Enabling SAML V2.0 authentication for identity provider operators
BigFix supports SAML V2.0 authentication via LDAP-backed SAML identity providers.
Disabling local operators
Starting from BigFix Version 10.0.8, this feature provides a mechanism where the creation and use of any local operator is prohibited in favor of LDAP-based operators.
Using multiple servers (DSA)
Some important elements of multiple server installations.
Server object IDs
The BigFix server generates unique ids for the objects that it creates: Fixlets, tasks, baselines, properties, analysis, actions, roles, custom sites, computer groups, management rights, subscriptions.
Using the DHE/ECDHE key exchange method
By default, BigFixVersion 11 components use the DHE/ECDHE key exchange method if the version of the BigFix component on the other side of the SSL communication allows it.
Real Time AV Exclusions
BigFix Console, Server and Relay components of the architecture perform high volume file operations. This activity is a substantial part of the functionality that these BigFix architecture components provide.
Downloading files in air-gapped environments
In air-gapped environments, to download and transfer files to the main BigFix server, use the Airgap utility and the BES Download Cacher utility.
Getting client information by using BigFix Query
The BigFix Query feature allows you to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs.
The Plugin Portal
The Plugin Portal is a new component introduced in BigFix 10 to help manage cloud devices as well as modern devices such as Windows 10 and MacOS endpoints enrolled to BigFix. For details on modern client management, see Modern Client Management and BigFix Mobile.
Extending BigFix management capabilities
BigFix 11 delivers a few significant new functions for enhancing the visibility and management of devices on your network regardless of whether the devices are physical or virtual.
Persistent connections
The capability to establish persistent connections was added to the product.
Relays in DMZ
The capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).
Working with PeerNest
The BigFix Client includes a new feature named PeerNest, that allows to share binary files among Clients located in the same subnet. The feature is available starting from BigFix Version 9.5 Patch 11.
Archiving Client files on the BigFix Server
You can collect multiple files from BigFix clients into an archive and move them through the relay system to the server.
BigFix Configuration Settings
A number of advanced BigFix configuration settings are available that can give you substantial control over the behavior of the BigFix suite. These options allow you to customize the behavior of the BigFix server, relays, and clients in your network.
Additional configuration steps
These topics explain additional configuration steps that you can run in your environment.
Migrating the BigFix Server (Windows/MS-SQL)
This section details the steps and operational procedures necessary for migrating the BigFix Server from existing hardware onto new computer systems.
Migrating the BigFix Server (Linux)
This section provides basic information on migrating your BigFix Server from existing Linux hardware onto new systems.
Migrating the BigFix Server from Windows to Red Hat 9 with SQL Server
Starting from BigFix Version 11.0.1, you can migrate BigFix Platform from a Windows operating system to a Red Hat 9 operating system with Microsoft SQL Server 2022 Database, both using a local or a remote database.
Server audit logs
The BigFix Server generates a server audit log file which contains the access information (login/logout) and information about the actions performed through the Console or the WebUI by the different users.
List of advanced options
The following lists show the advanced options.
Security Configuration Scenarios
Starting from Version 11, BigFix provides the capability to configure several security options.
Enabling Microsoft Control Flow Guard on BigFix Server
Starting from BigFix version 11.0.3, the BigFix Server implements the Microsoft Control Flow Guard (CFG) security feature on Windows systems; the BigFix Server executables:
Client certificate
To comply with the modern industry standards, starting from product version 10.0.7, the client certificate of the BigFix Agent will have a validity period of 13 months.
Client Authentication
Client Authentication (introduced in version 9) extends the security model used by BigFix to encompass trusted client reports and private messages.
Maintenance and Troubleshooting
If you are subscribed to the Patches for Windows site, you can ensure that you have the latest upgrades and patches to your SQL server database servers.
Console Operator's Guide
Learn how to work with the BigFix Console.
Accessing the console
The console is the visible face of BigFix, used by the operator to monitor and repair networked computers running the BigFix client.
Actions
Actions are scripts that run on selected targets. They are used to fix policy violation and security exposures and to run configuration steps. Fixlet, tasks, and baselines depend on actions to run their remediation mission.
Activating the license counting process
How to activate the license counting process.
Disabling local operators on BigFix Console
Starting from BigFix Version 10.0.8, you can decide to disable the local operators from logging into the BigFix Console, to use LDAP operators instead.
Asset Discovery User's Guide
Learn how BigFix Asset Discovery works.
Overview
A brief overview on how BigFix discovers assets and on what are Scan Points.
Using Asset Discovery
How to operate and things to know about Asset Discovery.
Unmanaged Asset Importer - NMAP
The following options will work as command line arguments to run the importer on its own. For example "UAImporter-NMAP -debugout output.txt -file testfile.xml".
Frequently asked questions
A list of the most frequently asked questions.
Web Reports Guide
Learn how the Web Reports feature extends the power of BigFix.
Configuring Web Reports
Web Reports is used whenever you want to view BigFix data that is spread over multiple databases in your deployment.
Using the Program
The Web Reports interface is simple and straightforward.
Exploring
The Explore Data section of the program allows you to look at data collected from your entire BigFix network to filter it, and to create reports.
Reporting
The Report List section of the program is accessed by clicking the appropriate tab from the top tab bar.
Administering the Program
The Administration section of the program lets you manage activities, filters, addresses, users, and databases.
Tasks for advanced users
This section presents tasks unlikely to be needed by the typical user, but which can be of use to advanced users with specific customization needs.
BigFix Explorer Guide
Learn how the BigFix Explorer feature extends the power of BigFix.
Requirements and assumptions
Before installing BigFix Explorer, consider the following BigFix Explorer requirements.
Installing the BigFix Explorer
BigFix Master Operators can deploy BigFix Explorer on their BigFix environment to evaluate Session Relevances using REST APIs.
Using the BigFix Explorer
Together with the datastore engine BigFix Explorer offers a REST API interface designed to query the collected data using session relevance. Also a set of APIs is available to monitor and manage Explorer instances.
Administering the BigFix Explorer
This section describes the configuration scenarios for the BigFix Explorer component.
Uninstalling the BigFix Explorer
Both automatic and manual uninstallation are supported.
WebUI User's Guide
Read this guide for an introduction to the WebUI tools, concepts, and terminology.
Welcome
Welcome to BigFix WebUI. The WebUI delivers a powerful set of functions for BigFix operators. It simplifies BigFix workflows, speeds access to data, and improves flexibility, visibility, and performance.
Meet the WebUI
Take a quick tour of the WebUI screens, controls, and workflow.
Get Started with Devices
Use the Device screens to view and manage all the devices in your environment as determined by your permission levels. You can find specific devices, access device documents, select devices for deployment, generate and export device reports and do much more.
Get Started with Patch
Use the Patch screens to list patches, find specific patches, and view detailed patch information including known issues, vulnerable devices, and deployments.
Get Started with Patch Policy
A patch policy is a set of criteria that defines a patch list; that is, a collection of Fixlets that meet the patching criteria of a specific set of endpoints.
Get started with IVR
Use the Insights for Vulnerability Remediation (IVR) application to view a list of all the vulnerabilities, remediate vulnerabilities and create customized IVR reports.
Get Started with Software
A BigFix software package is the collection of Fixlets used to install software on a device. The package includes the installation files, the Fixlets that install them, and information about the package itself.
Get Started with Custom Content
Use the Custom Content pages to view custom content, edit tasks, and view related information, including applicable devices and deployments.
Get Started with BigFix Query
Use the BigFix Query feature to retrieve data from endpoints through a dedicated query channel, where the memory available on each Relay minimizes the impact to normal BigFix processing.
Take Action: The Deploy Sequence
To deploy means to dispatch content such as applications, modules, updates, and patches to one or more endpoints. For example, by deploying a software, you install the software in the targeted endpoints. BigFix WebUI enables you to configure the content and the target devises to create a deployment and monitor the deployment status. The work flow including all the steps, processes, and activities that are required to create a deployment is collectively called as the Deploy Sequence.
Get Started with Deployments
Use the Deployment views to monitor and verify completion of BigFix deployments.
Get Started with the Content App
Use the Content App to work with Fixlets, tasks, and baselines on the BigFix sites. Search, filter, and deploy content using standard WebUI tools.
Get Started with Extensions Management Application
BigFix Extension Management application provides you the possibility to extend WebUI features beyond what is delivered in the products that you are currently entitled to. You can address specific use cases that are not currently fulfilled by the product by adding ad-hoc extensions to WebUI.
Modern Client Management and BigFix Mobile
This section guides you through BigFix Modern Client Management (MCM) and BigFix Mobile to understand the MCM concepts, terminologies, features, and functionality. You can find detailed instructions for managing the complete lifecycle of your MDM managed endpoints here.
Extending BigFix management capabilities
BigFix 11 delivers a few significant new functions for enhancing the visibility and management of devices on your network regardless of whether the devices are physical or virtual.
Support
For more information about this product, see the following resources:
WebUI Administration Guide
Read this guide for information about installing and administering the WebUI.
Introduction
This guide is intended for BigFix Master Operators and those who administer an BigFix deployment. If you are looking for information about using the WebUI, see the BigFix WebUI User's Guide.
Deployment Requirements
This guide contains information and procedures for installing the WebUI on BigFix Platform V11.0.0 or later. The WebUI is supported on BigFix Platform V11.0.0 and later versions.
WebUI Installation
Use these procedures to install or upgrade the WebUI on BigFix Platform version 10 or later. Before you start the procedure:
Remove the WebUI Service
Use this procedure to remove the WebUI from BigFix Platform.
Provisioning Users
Use permission settings in the WebUI and the BigFix Console to control access to the WebUI and its functions.
Managing Application Updates
You can manage application updates through Application Update Manager.
Editing Dashboards
Use the WebUI’s editing tools to customize the WebUI Overview and Executive Overview dashboards.
Performance
This chapter provides an introduction to some tools for managing performance problems you might encounter with the WebUI. For a detailed discussion of BigFix and WebUI performance topics and tools, including planning, monitoring, and maintenance, see the BigFix Capacity Planning Guide.
Log Locations
All WebUI logs are stored in one default location. Logs are stored on the WebUI Server in the following locations (unless changed by the server setting _WebUI_Logging_LogPath).
WebUI Server Settings
Create or modify server settings on your WebUI server to control advanced aspects of the WebUI. These settings are for advanced users only and can be used to help troubleshoot problems or adjust behaviors to optimize performance.
SAML 2.0
BigFix supports SAML 2.0. SAML authentication is an application login mechanism that uses a configured Identity Provider (IdP) to authenticate users.
Troubleshooting
Read this section for information about any known issues using the WebUI application.
WebUI and Distributed Server Architecture (DSA)
Understand how to work with WebUI in Distributed Server Architecture (DSA).
Supported Patch Sites
A subset of BigFix patch sites is supported in the WebUI.
Support
For more information about this product, see the following resources:
Glossary
This glossary provides terms and definitions for the Modern Client Management for BigFix software and products.