BigFix patch management for closed network

Anton 2022-05-12 13:17:03 UTC #1

Hi community.

Our goal is to create a secured network that does not have assess to the “internet”.
Ideally, this will be closed network where clients can reach only the BigFix Server.

Question:
How we can use Patch Management process in this conditions?

I’m asking as because patching fixlet pinpoint directly to Windows download servers for obtaining the patches.
For example: https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/05/windows10.0-kb5014026-x64_df6de35fd472512e628c2acc6e8d58f3e6139ac9.msu

It means that Client still need to have access to internet to download patches?
What “best practices” you can recommend to achieve this goal?

Best regards,
Anton.

JasonWalker 2022-05-12 13:31:53 UTC #2

We refer to this as “Airgap Mode”. There are instructions in the subtopics at https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Config/c_airgap_tool_use.html

The basic idea is that you’ll use the AirgapTool to download site updates (lists of fixlets), as well as to download the vendors’ patch binaries (the patch .MSU files) and precache them onto your BigFix server.

Since your server won’t be able to download the patches directly, you’ll need to be sure you size your disk caches large enough for the server to store every patch you might possibly want to deploy.

Running an airgapped server works, and a number of customers are using this scenario successfully, but do be prepared as there is a lot more administrative overhead to running an airgapped network.

Anton 2022-05-12 13:35:40 UTC #3

Hi Jason.

Server itself will have access to the network. Only clients will not.
I’m not sure that I understand correct.
Who is “visiting” the link stated inside task? Client or Server?

JasonWalker 2022-05-12 13:40:18 UTC #4

Oh, then that is a much easier and standard scenario.

Unless you change the defaults (by modifying the _BESClient_Download_Direct client setting), in the default setup all of the downloads will result in the client requesting the download from its Relay, the Relay sending the download request up to the Root Server, and only the Root Server actually accesses the Internet to perform the downloads.

The resulting download files are then returned down the relay chain, with each Relay caching the file. The next time a client requests the same file, the Relay can serve the patch from its cache so the Internet download does not need to be repeated.

Anton 2022-05-12 14:06:00 UTC #5

Ok. thank you.

I will try it inside my sandbox and post here if have additional questions.