Basic deployment

A simplified BigFix deployment, that points out the basic hierarchy and the ports used to connect the components, is shown in the following diagram.

There is at least one server that gathers Fixlets from the Internet where they can be viewed by the console operator and distributed to the relays. Each client inspects its local computer environment and reports any relevant Fixlets back to the relay, which compresses the data and passes it back up to the servers.


This window displays a simplified deployment showing the basic hierarchy and the ports used to connect the components.

The BigFix console oversees all this activity. It connects to the Servers and periodically updates its displays to reflect changes or new knowledge about your network.

The BigFix console operator can then target actions to the appropriate computers to fix vulnerabilities, apply configuration policies, deploy software, and so on. The progress of the actions can be followed in near realtime as they spread to all the relevant computers and, one by one, address these critical issues.

This diagram labels all the default ports used by BigFix, so that you can see which ports need to be open and where. These ports were selected to avoid conflict, but if you are currently using any of these ports, they can be customized upon installation.

Note: The arrows in the diagram illustrate the flow of information throughout the enterprise. The arrows from the Fixlet server to the servers represent the flow of Fixlets into your network. Clients gather Fixlets and action information from relays. They then send small amounts of information back to the servers through the relays. The UDP packets from the relay to the clients are small packets sent to each client to inform them that there is new information to be gathered. The UDP messages are not strictly necessary for BigFix to work correctly. View the network traffic article at the BigFix support site, or ask your support technician for more details.

Note the following about the diagram:

  • Port 80 is used to collect Fixlet messages over the Internet from Fixlet providers such as HCL.
  • A dedicated port (defaulting to 52311) is used for HTTP communications between servers, relays, and Clients.
  • A dedicated port (defaulting to 52311) is used for HTTPS communications between servers and Consoles.
  • Relays are used to share the server load. This diagram only shows two relays, but you can use dozens or even hundreds of relays in a similar flat hierarchy. Typically a Relay is deployed for every 500-1,000 computers.
  • The BigFix relays can also take advantage of a UDP port to alert the Clients about updates, but this is not strictly necessary.
  • The BigFix Clients are typically PCs or Workstations, but can include other servers, dockable laptops, and more. Any device that can benefit from patches and updates is a candidate to include in the deployment.

BigFix has far greater flexibility and potential than this simple case suggests. It is capable of overseeing hundreds of thousands of computers, even if they are spread out around the world. The next scenarios build on this basic deployment.