Home
Configuration Guide
Learn how to configure BigFix according to your needs.
Client Authentication
Client Authentication extends the security model used by BigFix to encompass trusted client reports and private messages.
Mailboxing
With Client Mailboxing you can send an encrypted action to any given client, instead of broadcasting it to all clients.

Configuration Guide
Learn how to configure BigFix according to your needs.
- Introduction
  This guide explains additional configuration steps that you can run in your environment after installation.
- BigFix Site Administrator and Console Operators
  In BigFix there are two basic classes of users.
- Integrating with LDAP
  You can add Lightweight Directory Access Protocol (LDAP) associations to BigFix.
- Enabling SAML V2.0 authentication for LDAP operators
  Starting from Version 9.5.5, BigFix supports SAML V2.0 authentication via LDAP-backed SAML identity providers.
- Using multiple servers (DSA)
  Here are some of the important elements of multiple server installations:
- Server object IDs
  The BigFix server generates unique IDs for the objects that it creates: Fixlets, tasks, baselines, properties, analysis, actions, roles, custom sites, computer groups, management rights, subscriptions.
- Customizing HTTPS for Gathering
  You can gather license updates and external sites by using the HTTP or HTTPS protocol on a BigFix server or in an airgapped environment.
- Configuring secure communication
- Real Time AV Exclusions
  BigFix Console, Server and Relay components of the architecture perform high volume file operations.
- Downloading files in air-gapped environments
  In air-gapped environments, to download and transfer files to the main BigFix server, use the Airgap utility and the BES Download Cacher utility.
- Getting client information by using BigFix Query
  The BigFix Query feature allows you to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs.
- Persistent connections
  Starting from Patch 11, the capability to establish persistent connections was added to the product.
- Relays in DMZ
  Starting from Patch 13, the capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).
- Working with PeerNest
  The BigFix client includes a new feature named PeerNest, that allows to share binary files among clients located in the same subnet. The feature is available starting from BigFix Version 9.5 Patch 11.
- Archiving Client files on the BigFix Server
  You can collect multiple files from BigFix clients into an archive and move them through the relay system to the server.
- BigFix Configuration Settings
  A number of advanced BigFix configuration settings are available that can give you substantial control over the behavior of the BigFix suite. These options allow you to customize the behavior of the BigFix server, relays, and clients in your network.
- Additional configuration steps
  These topics explain additional configuration steps that you can run in your environment.
- Migrating the BigFix Server (Windows/MS-SQL)
  This section details the steps and operational procedures necessary for migrating the BigFix Server from existing hardware onto new computer systems.
- Migrating the BigFix Server (Linux)
  This section provides basic information on migrating your BigFix Server from existing Linux hardware onto new systems.
- Server audit logs
  Starting with BigFix version 9.5.11, the server audit logs include the following items:
- List of advanced options
  The following lists show the advanced options that you can specify in the Advanced Options tab of the BigFix Administrative tool on Windows systems, or in the BESAdmin.sh command on Linux systems using the following syntax:
- Security Configuration Scenarios
  BigFix provides the capability to follow the NIST security standards by configuring an enhanced security option.
- Client Authentication
  Client Authentication extends the security model used by BigFix to encompass trusted client reports and private messages.
  - Authenticating relays
    BigFix deployments with internet-facing relays that are not configured as authenticating are prone to security threats.
  - Handling the key exchange
    When an agent tries to register and does not have a key and certificate, it automatically tries to perform a key exchange with its selected relay.
  - Manual key exchange
    If an agent does not have a certificate and can only reach an authenticating relay on the network, connected through the internet, you can manually run the following command on the agent so it can perform the key exchange with an authenticating relay:
  - Revoking Client Certificates
    After a client authenticates, you can revoke its certificate if you have any reason to doubt its validity.
  - Re-registering a revoked client
    The client revoke procedure removes a client from the console and updates a client certificate revocation list.
  - Mailboxing
    With Client Mailboxing you can send an encrypted action to any given client, instead of broadcasting it to all clients.
- Maintenance and Troubleshooting
  If you are subscribed to the Patches for Windows site, you can ensure that you have the latest upgrades and patches to your SQL server database servers.

Mailboxing

With Client Mailboxing you can send an encrypted action to any given client, instead of broadcasting it to all clients.

This improves efficiency, since the client doesn’t need to qualify every action, and it minimizes network traffic. As a consequence,

Clients are only interrupted when they are targeted.
Clients don't have to process actions that are not relevant to them for reporting, evaluating, gathering, and action processing.

Privacy is assured because the message is encrypted specifically for each recipient; only the targeted client can decrypt it.

A client's mailbox is implemented as a specialized action site, and each client is automatically subscribed to it. The client knows to scan for actions in this site as well as the master site and operator sites.

To send an encrypted action directly to a client mailbox, follow these steps:

Open the Take Action dialog (available from the Tools menu and various other dialogs).
Click the Target tab.
Click Select devices or Enter device names. Mail-boxing is only available when you specify a static list of clients. Dynamically targeted computers will not be encrypted and will instead be sent in the open to the master site or a specific operator site. If you select target clients with versions prior to 9.0, the action will also go into the master or operator site.
Click OK. Actions targeted by computer ID or name will now be encrypted and sent to the client mailbox.

The identifier of the operator who deploys the action is included with the action. Before a client takes the action, it first determines if it is currently administered by that operator. If not, it refuses to run the action.