Is it possible to have the BigFix console controlling the environment from the Cloud? Perhaps through the WebUI or via VPN. Also, if it can be done, what would the customer have to do in order to set this up?
Thanks in advance
Yes 
We have our core servers running in SoftLayer, with the Primary server in one pod and DSA in another. This is running the main server, web reports, and webui.
Below that, we have 2 top level relays, also in SoftLayer, one in each pod with the cores.
Then spread around our various data centres/networks, we have ground side relays, some backend, some internet facing. Each of these talks to the top level relays via backend network connectivity between us & our SoftLayer networks. I can’t remember what they call it, but AWS would call it DirectConnect if that helps.
All clients talk to a ground side relay, and we have command poll enabled globally and do not rely on UDP (although when that is enabled on a particular network, it’s very nice:) ).
I don’t know that we particularly ‘did’ anything specific BigFix wise, it’s all networking. The only connectivity we have enabled between the ground relays and the top level relays is port 52311. The top levels are in the same network as the core servers in each pod so there was nothing to setup/change there.
For Console, WebReports, WebUI & SSH access to the server itself, our traffic will be crossing that back end link, so we’ll have opened up the ports we need for those to work, but it would be easy enough to add a public ip onto the core servers and open up those ports on the public network instead and connect that way - though if we did, we’d also firewall the incoming connections and limit them to our outbound ranges so that only we could connect.
Our only real problem hosting the core servers outside has been the propensity of our hosts to restart their hosts. Mostly in defined maintenance windows, but occasionally without warning.
2 Likes
Thank you for your detailed response. What vendor(s) would you recommend for the Cloud host to avoid the problem you ran into?
Thanks in advance.
You’re welcome. I’m glad to be able to give back something to this community having spent many hours on the forums researching things for myself.
I’m not all that sure that any one vendor would be better than any other. They all have infrastructure to maintain, and that maintenance will likely impact any environment you run on their systems at some stage or another. Even if you go for Bare Metal/Dedicated Server services, there will still be power/rack/DC/hardware maintenance to contend with. For me, part of having a third party provide some of your services is accepting that they won’t be perfect and that even with the best will in the world, things can go wrong; so you write that up into your risk analysis and be prepared with your continuity plan to handle that situation.
To give some further context, our production platform has been running as above for about 18 months, we’ve had planned maintenance from SoftLayer 3 or 4 times, and 2 unplanned in that time. On the planned occasions, we’ve had more than enough notice to manage expectations and work around any potential outage. On the unplanned side, we’ve only had actual impact once, the other time we were between patch cycles so nothing was actually happening platform side.
1 Like
Thanks for the advice.