I’m looking at deploying BigFix in an environment where the endpoints will be in an isolated network (no internet access). I understand that in such an environment , the standard approach would be to use the AirGap tool and BESDownloadCacher to download content via a system connected to the internet and then transferring it via a USB drive on to the BES Server. This ‘manual’ approach is not acceptable by the teams and we’re looking at what are the options we have to automate the content download process. I believe we may be able to get a couple of ports opened between 2 servers in the isolated and connected networks(e.g. a BES server and a ‘download server’? ) to enable automated content update.
In such a scenario, what are my options for the deployment design?
One probable option I’m thinking about is - BES Server on network connected to internet, one top level relay on isolated network (with 52311 opened with the BES server) and all endpoints on the isolated network connecting to the relay. Would such a deployment work? Any other options I can look at (preferably with the BES Server on the isolated network along with the endpoints)?
Thanks
My advice – Keep the BES server inside your protected network where the BES Clients can easily reach it and use a Proxy to allow the BES Server to reach the Internet.
By design, the only system that needs to download anything from the Internet is the BES Server itself. Everything else is distributed via the Relays.
You can put your BES Server outside the Protected network and use a Relay. If you do this, you will need to create a ClientSettings.cfg file to use when installing the clients. The first thing a newly installed client does is try to communicate with the server listed in the masthead in order to register and download a list of Relays. You would need to specify your Top Level Relay in the ClientSetting.cfg file.
Simpler to put the BES Server inside the protected network and provide it a Proxy to the Internet.
Thanks Tim. What you suggested is what I’d ideally like to do as well. However, it seems that security policies will not allow us access to the internet proxy from a server (BES Server) in the isolated network.
With the BES server inside the isolated network, i’ll need a mechanism to route download requests to a ‘download server’ with internet connectivity and then have this server get the content to the BES Server somehow…
I’m not aware of any way to specify an alternate “download” System in BigFix. Someone else might know of a way to do it.
Barring someone else chiming in, it sounds like you are down to either a fully “Air-Gapped” network, or putting your BigFix Server outside the Protected Network. Both have their drawbacks.
Air-Gapped:
All downloads must be performed manually using a computer with Internet access. This involves using the AirGap tool to download the Fixlet/Task/Dashboard/Analysis content from IBM on a regular basis and importing it into the Air-Gapped system. You would also need to use the BESDownloadCache tool to download the actual patches and cache them on the server as well.
You should expect to do this at least once per day.
Server Outside Protected Zone:
The trouble here is that when you install a BES Client, the only other component a Client knows about is the BES Server since it’s listed in the Masthead file. It needs to contact the BES Server to obtain a list of available Relay machines and to register itself with the server.
A workaround is to use a clientsettings.cfg file to specify a Relay that the client can use in place of the BES Server for registration purposes. You can find information about this in this document. Additional settings can also be included in the clientsettings.cfg file. Note: The filename is different on Linux/UNIX clients.
With the clients unable to communicate directly with the BES Server and the server unable to directly communicate with the clients, I would make sure that there were at least two Top Level Relays that were able to reach the BES Server and that the BES Server could reach both of them. This is for redundancy, and to prevent an unnecessary bottle neck.
Something else just came to mind. The machines that you run the Console on will still need to communicate with the BES Server directly. I assume these will be inside the Protected Network.
Unless you can obtain an exception to the Internet access policy, to allow the Server to access the Internet via a Proxy, you may be down to just the fully Air-Gapped solution.
There is another option that @TimRice hasn’t yet mentioned, but I’m not sure it will work for you either.
You can have the BigFix root server in a protected network without internet access, and a top level relay that is able to access the internet. You can configure the top level relay to handle all of the downloads for all of the patches. You will still need to do the AirGap process to gather sites from IBM into the root server, but you will not need to do the AirGap process for every single download/patch.
The clients would then connect to a relay inside their network, and those relays would talk to the top level relay that has internet access, while that relay would talk to the root.
You can also mix in the “Fake Root” concept to address some of the issues with the first client connection @TimRice mentions.