Our goal is to create a secured network that does not have assess to the “internet”.
Ideally, this will be closed network where clients can reach only the BigFix Server.
Question: How we can use Patch Management process in this conditions?
The basic idea is that you’ll use the AirgapTool to download site updates (lists of fixlets), as well as to download the vendors’ patch binaries (the patch .MSU files) and precache them onto your BigFix server.
Since your server won’t be able to download the patches directly, you’ll need to be sure you size your disk caches large enough for the server to store every patch you might possibly want to deploy.
Running an airgapped server works, and a number of customers are using this scenario successfully, but do be prepared as there is a lot more administrative overhead to running an airgapped network.
Server itself will have access to the network. Only clients will not.
I’m not sure that I understand correct.
Who is “visiting” the link stated inside task? Client or Server?
Oh, then that is a much easier and standard scenario.
Unless you change the defaults (by modifying the _BESClient_Download_Direct client setting), in the default setup all of the downloads will result in the client requesting the download from its Relay, the Relay sending the download request up to the Root Server, and only the Root Server actually accesses the Internet to perform the downloads.
The resulting download files are then returned down the relay chain, with each Relay caching the file. The next time a client requests the same file, the Relay can serve the patch from its cache so the Internet download does not need to be repeated.