Authenticating Additional Servers

Multiple servers can provide a higher level of service for your BigFix installation.

If you choose to add Disaster Server Architecture (DSA) to your installation, you will be able to recover from network and systems failures automatically while continuing to provide local service. To take advantage of this function, you must have one or more additional servers with a capability at least equal to your primary server. Because of the extra expense and installation involved, you should carefully think through your needs before committing to DSA.

You must first decide how you want your servers to communicate with each other. There are three inter-server authentication options: the first two are flavors of NT and the third is SQL. Because it is more secure, NT Authentication is recommended. You cannot mix and match; all servers must use the same authorization.

Using NT Authentication with domain users and user groups

With this method, each server uses the specified domain user or a member of the specified user group to access all the other servers in the deployment.

To authenticate your servers using domain users and user groups, follow these steps:
  1. Create a service account user or user group in your domain. For a user group, add authorized domain users to your servers. You might need to have domain administration privileges to do this.
  2. On the Master Server, use SQL Server Management Studio to create a login for the domain service account user or user group, with a default database of BFEnterprise, and give this login System Admin (sa) authority or the DBO (DataBase Owner) role on the BFEnterprise and master databases.
  3. On the Master Server, change the LogOn settings for the FillDB, BES Root, and Web Reports services to the domain user or member of the user group created in step 2, and restart the services.
Note: After you complete the installation of the BigFix server and begin to use Product sites, you might install additional components such as the BES Server Plugin Service and BES NMAP Unmanaged Asset Importer. Both these services have their LogOn settings set for the NT user for Remote Database access.

Using NT Authentication with domain computer groups

With this method, each server is added to a specified domain computer group and each server accepts logins from members of that domain group.

To authenticate your servers using domain computer groups, follow these steps:
  1. Create a Global Security Group in your domain containing your chosen servers. You might need to have domain administration privileges to do this.
  2. After creating the group, each server must be rebooted to update its domain credentials.
  3. On the Master Server, use SQL Server Management Studio to create a login for the domain group, with a default database of BFEnterprise, and give this login System Admin (sa) authority or the DBO (DataBase Owner) role on the BFEnterprise and master databases.

Using SQL Authentication

With this method, each server is given a login name and password, and is configured to accept the login names and passwords of all other servers in the deployment.

The password for this account typed in clear text is obfuscated under the HKLM branch of the registry on each server, after the restart of the FillDB service.

To authenticate your servers using SQL authentication, follow these steps:
  1. Choose a single login name (for example, besserverlogin), and a single password to be used by all servers in your deployment for inter-server authentication.
  2. On the Master server, use SQL Server Management Studio to create a SQL Server login with this name. Choose SQL Server Authentication as the authentication option and specify the password. Change the default database to BFEnterprise and assign the sysadmin server role to the new user, or map it to the role of db_owner on the BFEnterprise and master databases.
  3. On the master server, add the following string values under the HKLM\Software\Wow6432Node\BigFix\Enterprise Server\FillDB key:
    ReplicationUser = <login name>
    ReplicationPassword = <password>
    ReplicationPort = <SQL_port>
  4. Restart the FillDB service.
Note:
  • This choice must be made on a deployment-wide basis; you cannot mix domain-authenticated servers with SQL-authenticated servers.
  • ReplicationUser, ReplicationPassword, and ReplicationPort must be uniquely defined in all the server registries of your DSA environment.
  • All BigFix servers in your deployment must be running the same version of SQL server.