I’m managing 8 BigFix Servers across Europe. We have ~15000 clients connected.
We have very strange park of Windows machine connected to the BigFix Servers, starting from WinXP and coming Win11 machines.
At this point our Servers are 9.5 and we are using also Clients with 9.5 version as we need XP support.
In near future we plan massive change of hard and software where we are planning move to Win11.
Of course, me as BigFix Admin for this project, I saw an opportunity to update BigFix to version 10 (that is very hard to perform from managing view in a big company as every change need to be “accepted” multiple times and you need to really prove that “changing something that is working” is really a necessity).
So my question next.
Can I use this approach?
First I upgrade Server to BigFix10, leaving all client with 9.5. Then, when one by one hardware and software will be replaced on the ground, new machines will be deployed with BigFix 10 Clients.
Can I still use BigFix 10 Server and 9.5 Clients together?
Will BigFix 10 Server correctly work with 9.5 Clients on WinXP?
PS: I understand that the “best” idea would be to mirror BigFix Servers and deploy new hard/soft to a new server, but we are limited on this option by internal processes.
Best regards,
Anton
Anton,
the approach you described can work. Don’t see problem with 9.5.x clients reporting back to 10.x servers.
We’ve done similar upgrade few years ago where we went from 9.5.x to version 10. You need to respect the upgrade path, and start with Root; Console (Servers); WebUI; WebReports; Top Relay; Regional Relays; on-prem relays and eventually the clients.
What we were told in regards to older client version is that you cannot leverage any v10.x features on these clients, that in our case was not a problem. We still have 2012 servers that also run version 9.x client, there is a way you can also upgrade these clients to version 10 (modify the applicability relevance) but it’s not recommended and/or supported by BigFix support.
As @dgendera, it will work (he has some good points). The only thing I would add is make sure you look at the new / more secure functionalities and see to make it less restrictive if some of the clients you have won’t match. For example:
don’t enforce client certificates and encrypted traffic if you have clients that do not support it (8.x if memory serves me right)
look into minimumSupportedClient / minimumSupportedRelay (documentation) - newer version have some of those forced higher than what you’d need on musthead side, you may need to change it manually via the BESAdmin tool to 0.0 or whatever version suits you
Might need to leave off Enhanced Security and stuff like that IF the client versions you have do not support the required level of certificate
etc.
Apart from those, you should be good to go though. I remember not that long ago (was on 9.5) and was still running clients 9.5, 9.0, 8.x & even a few lingering 7.2 (had a few Windows NT4 that were tied to court cases we couldn’t get rid of) and things were working just fine. Of course, newer functionality wasn’t working on the old agent (in our case at the time one example was “secure parameters”); more recent example was Plugin Server/Multicloud on Windows 2008 & 2012 non-R2 which did not support agent v10 but basic functionality continues to work fine…
Anton, FYI, v9.5 will reach its end of life next summer; that’s something you can leverage internally for the upgrade.
It’s recommended to upgrade Relays as well, but old clients will continue to report. Also, if you have only 9.5 or newer client, you don’t need to worry about Enhanced Security or minimumSupportedClient.
In BigFix 11, instead, was introduced the support for TLS 1.3 and SHA-384, which is not retro compatible. You can enforce it only when all your infrastructure is v11; if you don’t enforce it, your v10 clients can continue reporting to the server (using TLS 1.2 and SHA-256). V11 Overview
I would agree, in principle this will work… I have 1 XP machine running 9.X client and the rest are 10.0.X in a lab environment. Our production environment is purely newer OS.
I would probably upgrade to 11.0 at this point.
I think you would be best served to build a 11 server… test and get everything working, then migrate content and devices over.
I would then upgrade all clients you can to the latest client that OS will support.
The reason I say build a new server is, while technically you probably can upgrade the existing server… there are a lot of changes over the past couple of years that could build upon themselves making the upgrade not work. For example, the way downloads and certificates are validated for HTTPS starting with 10.0.7 I believe and continuing to change through 10.0.9.