Home
Configuration Guide
Learn how to configure BigFix according to your needs.
Integrating with LDAP
You can add Lightweight Directory Access Protocol (LDAP) associations to BigFix.
Integrating with Active Directory
You can use Microsoft Active Directory (AD) to handle authentication on BigFix.
Integrating the Linux server with Active Directory
Configuring Kerberos authentication
To ensure a secure communication between Linux BigFix server and Active Directory, use the Kerberos protocol.
Configuring the NSS and PAM libraries
How to use the LDAP database to authenticate users on a Linux system.

Configuration Guide
Learn how to configure BigFix according to your needs.
- Introduction
  This guide explains additional configuration steps that you can run in your environment after installation.
- BigFix Site Administrator and Console Operators
  In BigFix there are two basic classes of users.
- Integrating with LDAP
  You can add Lightweight Directory Access Protocol (LDAP) associations to BigFix.
  - Integrating with a Generic LDAP
    How to configure the integration with a Generic LDAP by adding an existing LDAP domain to the console.
  - Integrating with Active Directory
    You can use Microsoft Active Directory (AD) to handle authentication on BigFix.
    - Integrating the Windows server with Active Directory
      How to add an existing Active Directory to the console.
    - Integrating the Linux server with Active Directory
      - Configuring Kerberos authentication
        To ensure a secure communication between Linux BigFix server and Active Directory, use the Kerberos protocol.
        Preliminary Checks
        Before running the integration between the BigFix server running on a Red Hat Enterprise Linux 7 or Linux 8 system and the Active Directory server, ensure the following.
        Installing the NSS and PAM libraries
        Ensure that the following NSS and PAM packages are installed.
        Configuring Authentication
        To configure the Kerberos protocol, the LDAP security and the authentication files for Active Directory integration, you can use one of the following methods.
        Modifying the local LDAP name
        To modify the local LDAP name, perform the following steps.
        Configuring the NSS and PAM libraries
        How to use the LDAP database to authenticate users on a Linux system.
      - Integrating the server with Active Directory
        How to integrate the BigFix server with Active Directory.
  - Adding LDAP Operators
    You can create accounts for operators to access the console by using an existing Active Directory or LDAP account.
  - Associating an LDAP group
    You can associate LDAP users or groups, that have been defined in an existing Active Directory or LDAP directory, to console operators or roles.
- Enabling SAML V2.0 authentication for LDAP operators
  Starting from Version 9.5.5, BigFix supports SAML V2.0 authentication via LDAP-backed SAML identity providers.
- Disabling local operators
  Starting from BigFix Version 10.0.8, this feature provides a mechanism where the creation and use of any local operator is prohibited in favor of LDAP-based operators.
- Using multiple servers (DSA)
  Some important elements of multiple server installations.
- Server object IDs
  The BigFix server generates unique ids for the objects that it creates: Fixlets, tasks, baselines, properties, analysis, actions, roles, custom sites, computer groups, management rights, subscriptions.
- Customizing HTTPS for Gathering
- Using the DHE/ECDHE key exchange method
  By default, BigFix 10.0 Patch 1 components use the DHE/ECDHE key exchange method if the version of the BigFix component on the other side of the SSL communication allows it.
- Configuring secure communication
- Real Time AV Exclusions
  BigFix Console, Server and Relay components of the architecture perform high volume file operations. This activity is a substantial part of the functionality that these BigFix architecture components provide.
- Downloading files in air-gapped environments
  In air-gapped environments, to download and transfer files to the main BigFix server, use the Airgap utility and the BES Download Cacher utility.
- Getting client information by using BigFix Query
  The BigFix Query feature allows you to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs.
- The Plugin Portal
  The Plugin Portal is a new component introduced in BigFix 10 to help manage cloud devices as well as modern devices such as Windows 10 and MacOS endpoints enrolled to BigFix. For details on modern client management, see the Modern Client Management documentation.
- Extending BigFix management capabilities
  BigFix 10 delivers a few significant new functions for enhancing the visibility and management of devices on your network regardless of whether the devices are physical or virtual.
- Persistent connections
  The capability to establish persistent connections was added to the product.
- Relays in DMZ
  The capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).
- Working with PeerNest
  The BigFix Client includes a new feature named PeerNest, that allows to share binary files among Clients located in the same subnet. The feature is available starting from BigFix Version 9.5 Patch 11.
- Archiving Client files on the BigFix Server
  You can collect multiple files from BigFix clients into an archive and move them through the relay system to the server.
- BigFix Configuration Settings
  A number of advanced BigFix configuration settings are available that can give you substantial control over the behavior of the BigFix suite. These options allow you to customize the behavior of the BigFix server, relays, and clients in your network.
- Additional configuration steps
  These topics explain additional configuration steps that you can run in your environment.
- Migrating the BigFix Server (Windows/MS-SQL)
  This section details the steps and operational procedures necessary for migrating the BigFix Server from existing hardware onto new computer systems.
- Migrating the BigFix Server (Linux)
  This section provides basic information on migrating your BigFix Server from existing Linux hardware onto new systems.
- Server audit logs
  The BigFix Server generates a server audit log file which contains the access information (login/logout) and information about the actions performed through the Console or the WebUI by the different users.
- List of advanced options
  The following lists show the advanced options.
- Security Configuration Scenarios
  BigFix provides the capability to follow the NIST security standards by configuring an enhanced security option.
- Client certificate
  To comply with the modern industry standards, starting from product version 10.0.7, the client certificate of the BigFix Agent will have a validity period of 13 months.
- Client Authentication
  Client Authentication (introduced in version 9) extends the security model used by BigFix to encompass trusted client reports and private messages.
- Maintenance and Troubleshooting
  If you are subscribed to the Patches for Windows site, you can ensure that you have the latest upgrades and patches to your SQL server database servers.

Configuring the NSS and PAM libraries

How to use the LDAP database to authenticate users on a Linux system.

Edit the /etc/nsswitch.conf and change passwd, shadow and group entries from the SSSD daemon (sss) to LDAP:

 passwd:  files sss
 shadow:  files sss
 group:   files sss

to LDAP (ldap):

 passwd:  files ldap
 shadow:  files ldap
 group:   files ldap

To configure the PAM libraries, edit the /etc/pam.d/system-auth and /etc/pam.d/password-auth files and add the pam_krb5.so library entries:

 auth     sufficient                                   pam_krb5.so use_first_pass
 ...
 account  [default=bad success=ok user_unknown=ignore] pam_krb5.so
 ...
 password sufficient                                   pam_krb5.so use_authtok
 ...
 session  optional                                     pam_krb5.so

Note: Remove the entries for the SSSD libraries (pam_sss.so).

For additional information on RedHat integration see Integrating Red Hat Enterprise Linux 6 with Active Directory.