Performing initial configuration on Windows

During the initial configuration, you create a BigFix Inventory database and the application administrator. You also set up a connection to the BigFix server and database. As an option, you can configure a connection to the Web Reports database to give the Web Reports users access to BigFix Inventory.

Before you begin

Permissions and roles

  • Ensure that the MS SQL Server user has the following permissions:
    • For the BigFix database (BFEnterprise): CREATE FUNCTION, CREATE SCHEMA, CREATE TABLE, CREATE VIEW, EXECUTE, SELECT
    • For the Web Reports database (BESReporting): SELECT
    These permissions apply only if the databases were installed with default settings and all customizations and hardening configurations were consulted with BigFix support.
  • Ensure that the MS SQL Server user has the appropriate role to create the BigFix Inventory database.
    • If you create a new database during initial configuration in BigFix Inventory, the user must have the sysadmin role in MS SQL Server.
    • If you manually create an MS SQL before the configuration, make sure that the database is empty and use the SQL_Latin1_General_CP1_CS_AS collation. You must have the db_owner role in MS SQL Server to perform this action. You must also allow snapshot isolation in the database. To allow snapshot isolation, use ALTER DATABASE DatabaseName and SET ALLOW_SNAPSHOT_ISOLATION ON queries.
    • If you are using MS SQL Server 2012 and you chose local system account as the service owner during the installation, provide the dbcreator or sysadmin role to the NT AUTHORITY\SYSTEM user in MS SQL server.
  • Ensure that the MS SQL Server user has the default language set to "English" (not a variety of English).
  • 10.0.5 Ensure that the MS SQL Server user is either a system admin or has the access of "SQLAgentUserRole" for msdb database to manage SQL Server agent jobs. Without access, the user cannot manage the BigFix Inventory index maintenace job. Instead to the index maintenance job being created/updated, warning appears in the tema.log log file.
  • Ensure that the user who are not the system admin, has required permissions and user mapping to access the BigFix Inventory database. The permissions are:
    • user role: public
    • permission: select
    • execute, mapping: BigFix Inventory database, MSDB
Other considerations
  • If you want to use Windows authentication to connect to the databases, the following requirements must be fulfilled:
    • BigFix and BigFix Inventory must be installed on Windows.
    • To use a local user for authentication, BigFix and BigFix Inventory must be installed on the same instance of Windows. The applications can run on different copies if the user is a domain user.
    • The owner of the BigFix Inventory service must also be able to access this database.

Procedure

  1. Create the BigFix Inventory database.
    1. Enter the host name of the database server.
      If you want to configure a named database instance or specify a non-default port, provide the host name in the following format:
      • hostname\instance_name, for example localhost\MyInstance
      • hostname:port_number, for example localhost:1444
    2. Enter the name of the application database.
    3. Select the authentication mode.
      • Select Windows Authentication, to authenticate with a Windows user that you specified as the service owner during the installation of BigFix Inventory.
        Restriction: If the MS SQL Server is installed on the same computer as BigFix Inventory, enter the database host name without its domain name (FQDN) or use localhost instead. The host name can be specified as NC1985110 or localhost, but not as NC1985110.domain.com or 198.50.100.
      • Select SQL Server Authentication to authenticate with an MS SQL Server user. This authentication mode must be enabled in MS SQL Server. For more information, see: Enabling the SQL Server Authentication mode.
    4. To create the database instance, click Create.
  2. Create the administrator of BigFix Inventory.
    Tip: Avoid using admin, administrator, root or a similar name for the administrative account. Such an account might be prone to hacker attacks and locked out if an attacker exceeds the specified number of failed login attempts. For more information, about the account lockout, see: Configuring user account lockout.

    Panel for creating the account of BigFix Inventory administrator.
  3. Optional: To automatically enable scans that collect data from the computers in your infrastructure, select Enable default scan schedule for this data source.

    If you enable the default scan schedule, actions that are needed to collect data from the computers in your infrastructure are automatically started on the BigFix server. This option is advised for environments with up to a few thousand computers. For larger environments, finish the installation, divide the computers into groups, and then manually set up scan schedule for each group to avoid performance issues. For more information about the default and manual scan schedule, see: Setting up scans to discover software and hardware inventory.

  4. Configure the connection to the BigFix database. The database stores information about the computers, and data that was discovered on these computers. Specify the host, port, database name, and credentials of the user that can access the BigFix database.

    Panel for configuring the connection to the BigFix database
  5. Configure the connection to the BigFix server. The host name or IP address, and the API port number are automatically retrieved from the database. Specify only the administrative user that you created during the installation of BigFix.

    Panel for configuring the BigFix server user.
    Note: If you do not want to provide the Master Operator, you can create a dedicated BigFix user that fulfills the following requirements:
    • Is assigned the BigFix Inventory v10 site
    • Is assigned computers that you are going to monitor, and the computer where the BigFix server is installed
    • Has the following permissions: Can use REST API, Can use Console, Custom Content, Can Create Actions
    The option is supported starting from BigFix 9.5.
  6. Optional: If the BigFix and BigFix Inventory servers are in separated networks, the automatic address lookup might return incorrect address. To disable the lookup, select Disable automatic address lookup, and specify the address manually. Then, configure additional environment variables on the BigFix Inventory server. For more information, see: Configuring servers in separate networks.
  7. Optional: Configure the connection to the Web Reports database. Specify the database type, host name, database name, and credentials of the Web Reports database user.
    98/
    Web Reports connection for Microsoft SQL Server
  8. To create connections to the databases, click Create.
    When the connections are created and configured, a new page opens and a message about the data import is displayed.
  9. Optional: If your environment consists of more than 50 000 endpoints, complete steps to enhance the application performance before you run the import.
  10. To run the initial import, click Import Now.
    The import might take a few hours, depending on your hardware capacity.

What to do next

If you enabled the default scan schedule, the collected data might not be displayed in BigFix Inventory after the initial import. Some time is required to finish scans that were initiated during the installation, and to upload scan results to the server. If the reports in BigFix Inventory do not contain any data, wait about an hour until the scans are completed. Then, start another import.

If you did not enable the default scan schedule, manually configure scans to collect data that is later on displayed on the reports.