Editing the Masthead on Windows systems

You can change default parameters stored in the masthead by using the BigFix Administration Tool.

  1. Launch the program from Start > Programs > BigFix > BigFix Administration Tool.
  2. Browse to the private key (license.pvk) and click OK.
  3. Select the Masthead Management tab and click Edit Masthead.

  4. Enter the parameters of the masthead file that contains configuration and license information together with a public key that is used to verify digital signatures. This file is saved in your credential folder.

    You can edit the following options:
    Server Port Number:
    In general, you do not need to change this number. 52311 is the recommended port number, but you can choose a different port if that is more convenient for your particular network. Typically, you choose a port from the IANA range of private ports (49152 through 65535). You can use a reserved port number (ports 1-1024), but this might reduce the ability to monitor or restrict traffic correctly and it prevents you from using port numbers for specific applications. Do not change the server port number after installing the clients and creating the masthead, because BigFix might not work correctly. For additional information, see Modifying port numbers.
    Gathering Interval:
    This option determines how long the clients wait without hearing from the server before they check whether new content is available. In general, whenever the server gathers new content, it attempts to notify the clients that the new content is available through a UDP connection, circumventing this delay. However, in situations where UDP is blocked by firewalls or where network address translation (NAT) remaps the IP address of the client from the servers perspective, a smaller interval becomes necessary to get a timely response from the clients. Higher gathering rates only slightly affect the performance of the server, because only the differences are gathered; a client does not gather information that it already has.
    Initial Action Lock:
    You can specify the initial lock state of all clients, if you want to lock a client automatically after installation. Locked clients report which Fixlet messages are relevant for them, but do not apply any actions. The default is to leave them unlocked and to lock specific clients later on. However, you might want to start with the clients locked and then unlock them on an individual basis to give you more control over newly-installed clients. Alternatively, you can set clients to be locked for a certain period of time (in minutes).
    Action Lock Controller:
    This parameter determines who can change the action lock state. The default is Console, which allows any Console operator with management rights to change the lock state of any client in the network. If you want to delegate control over locking to the end user, you can select Client, but this is not recommended.
    Exempt the following site URL from action locking:
    In rare cases, you might need to exempt a specific URL from any locking actions. Check this box and enter the exempt URL. You can specify only one site URL and it must begin with http://.
    Note: Baseline components are not exempt from action locking because they can come from different sites.
    Last fallback Relay for all clients (replacing Root Server):
    You might need to define a fallback relay for your clients when they do not connect to any relay specified in their settings. Select this check box and specify the fallback relay of your environment in one of the following formats:
    • Hostname. For example, myhostname.
    • Fully qualified domain name (FQDN). For example, myhostname.mydomain.com.
    • IP address. For example,

    If you do not select this check box and define a fallback relay, the root server of your environment is used.

    Note: Before specifying a fallback relay, ensure that any client or relay reporting directly to the root server has the root server defined as a relay. This setting will not prevent endpoints from selecting the root server. Set _BESRelay_Register_Affiliation_AdvertisementList on the BES Root Server to a group name that will not be set on any clients, such as DoNotSelectMe.
    Require use of FIPS 140-2 compliant cryptography
    Check this box to be compliant with the Federal Information Processing Standard in your network. This changes the masthead so that every BigFix component attempts to go into FIPS mode. By default, the client continues in non-FIPS mode if it fails to correctly enter FIPS, which might be a problem with certain legacy operating systems. Be aware that checking this box can add a few seconds to the client startup time.
    Allow use of Unicode filenames in archives
    This setting specifies the codepage used to write filenames in the BigFix archives. Check this box to write filenames UTF-8 codepage.
    Do not check this box to write filenames using the local deployment codepage, for example Windows-1252 or Shift JIS. If you run a fresh install of BigFix V9.5, by default, the filenames are written in UTF-8.
    Note: If you upgraded your BigFix environment to V9.5, by default, the filenames are written in the local deployment code page.
  5. Click OK to enter the changes.
Note: The masthead changes do NOT affect clients that are already deployed, but you can export the masthead using the Administration Tool (Masthead Management tab) and replace the masthead in the BES Installers directory of the BigFix server (default directory: <drive>:\Program Files\BigFix Enterprise\BES Installers) so that newly deployed or installed clients use these changes.