Learn how to configure BigFix according to your needs.
In air-gapped environments, to download and transfer files to the main BigFix server, use the Airgap utility and the BES Download Cacher utility.
This guide explains additional configuration steps that you can run in your environment after installation.
In BigFix there are two basic classes of users.
You can add Lightweight Directory Access Protocol (LDAP) associations to BigFix.
Starting from Version 9.5.5, BigFix supports SAML V2.0 authentication via LDAP-backed SAML identity providers.
Here are some of the important elements of multiple server installations:
The BigFix server generates unique IDs for the objects that it creates: Fixlets, tasks, baselines, properties, analysis, actions, roles, custom sites, computer groups, management rights, subscriptions.
You can gather license updates and external sites by using the HTTP or HTTPS protocol on a BigFix server or in an airgapped environment.
BigFix Console, Server and Relay components of the architecture perform high volume file operations.
In an air-gapped environment where a secure network is physically isolated from insecure networks, such as the public Internet or an insecure local area network, and the computers on opposite sides of the air gap cannot communicate, to download and transfer files to the main BigFix server, you can use the Airgap utility and the BES Download Cacher utility.
When your BigFix server is installed in an air-gapped environment where a secure network is physically isolated from insecure networks, such as the public Internet or an insecure local area network, and the computers on opposite sides of the air gap cannot communicate, you need a workstation that has access to the public Internet to download Fixlet site contents using the Airgap tool, and to download files referenced in the Fixlet action scripts.
The "Non-extraction usage" mode is available only starting from BigFix Version 9.5.5.
The Airgap tool produces two types of log files: normal log files and debug log files.
The BigFix Query feature allows you to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs.
Starting from Patch 11, the capability to establish persistent connections was added to the product.
Starting from Patch 13, the capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).
The BigFix client includes a new feature named PeerNest, that allows to share binary files among clients located in the same subnet. The feature is available starting from BigFix Version 9.5 Patch 11.
You can collect multiple files from BigFix clients into an archive and move them through the relay system to the server.
A number of advanced BigFix configuration settings are available that can give you substantial control over the behavior of the BigFix suite. These options allow you to customize the behavior of the BigFix server, relays, and clients in your network.
These topics explain additional configuration steps that you can run in your environment.
This section details the steps and operational procedures necessary for migrating the BigFix Server from existing hardware onto new computer systems.
This section provides basic information on migrating your BigFix Server from existing Linux hardware onto new systems.
Starting with BigFix version 9.5.11, the server audit logs include the following items:
The following lists show the advanced options that you can specify in the Advanced Options tab of the BigFix Administrative tool on Windows systems, or in the BESAdmin.sh command on Linux systems using the following syntax:
BESAdmin.sh
BigFix provides the capability to follow the NIST security standards by configuring an enhanced security option.
Client Authentication extends the security model used by BigFix to encompass trusted client reports and private messages.
If you are subscribed to the Patches for Windows site, you can ensure that you have the latest upgrades and patches to your SQL server database servers.