WebUI and Distributed Server Architecture (DSA)

Understand how to work with WebUI in Distributed Server Architecture (DSA).

Set up the environment for a smooth switch

If the WebUI server is directly attached to the BigFix Server:

  • Set the DSA server as the Secondary Relay in WebUI computer client settings.

    When a failure on the primary BigFix server occurs and the WebUI client is unable to report, they use the secondary BigFix relay value during normal relay selection process to find and report to the secondary BigFix server.

  • Set _BESClient_RelaySelect_ResistFailureIntervalSeconds to a low value. The setting _BESClient_RelaySelect_ResistFailureIntervalSeconds specified on the client system can have an impact on failover timing. Its value can range from 0 seconds to 6 hours, and it defines how many seconds the client ignores reporting failures before attempting to find another parent relay. The default value is 10 minutes. In case of a failover configuration, ensure that if defined, _BESClient_RelaySelect_ResistFailureIntervalSeconds is set to a low value.

If the WebUI server is attached to a Relay, ensure your environment has been set up following the instruction at Configuring relay failover

WebUI and DSA

If you are using DSA to provide redundancy and you have your WebUI installed on the primary server, when it fails, you have to use the secondary server to install a new instance of the WebUI that connects to the secondary server.

When you deploy the WebUI against a non-primary server, configure the client setting on the WebUI host machine to connect to the secondary server using the WebUI server setting _WebUIAppEnv_PLATFORM_HOST. This prevents the WebUI instance from defaulting to using the host name specified in the masthead.

If the WebUI is installed on a separate server, there is no need to uninstall and reinstall it.

Follow these steps to properly switch the WebUI from the primary to the secondary Root Server:

  1. Stop the WebUI server.
  2. To make the chosen DSA server act as master server, assign masterDatabaseServerID to the DSA server ID you want to switch to. See Switching the master server on Linux.
  3. On the WebUI Computer, change the setting _WebUIAppEnv_PLATFORM_HOST to point to the DSA server you want to switch to.
  4. On the DSA server you are going to use as primary, use the BESAdmin tool to create new WebUI credentials and copy the new keys in the WebUI cert directory. See Additional administration commands.
  5. Run fixlet Deploy/Update WebUI Database Configuration (ID 2687) to set the correct Database server for the WebUI, that is the Database server you are going to use after the switch.
  6. Start the WebUI server.

When the failing DSA server will be back again, if you want to switch back both the DSA and WebUI configuration, repeat all the above steps and add the following between step #3 and step #4:

  • On both the DSA servers (failing and current) revoke the old WebUI credentials using the BESAdmin -revokewebuicredentials command. See Additional administration commands.
Note: Multiple instances of the WebUI are not currently supported. If you are reinstalling the WebUI service on a machine, uninstall the WebUI service first.


BigFix supports SAML authentication in a DSA environment. In the event of a primary server failure, you will need to separately configure each BigFix instance you want to enable in SAML. For example, in Microsoft Active Directory Federation Services (ADFS), define SAML Assertion Consumer Endpoints for:
  1. The primary WebUI server, the primary BES root server, and the primary Web Reports server (if you are using Web Reports).
  2. The secondary WebUI server, the secondary BES root server, and the secondary Web Reports server (if you are using Web Reports).