How to Change HCL BigFix Client and Console Ports

1

Overview

By default, HCL BigFix uses TCP port 52311 for communication between Clients, Relays, Root Server, and the Console. In some environments, organizations need to change this port because of:

  • Corporate security hardening policies

  • Firewall restrictions

  • Port conflicts with other applications

  • Network segmentation or DMZ design

  • Compliance requirements

Changing the communication port affects multiple components in the BigFix architecture, so it must be done carefully to avoid breaking client-server communication.

This guide explains the complete and safe procedure to modify the communication port across the BigFix infrastructure.

BigFix Communication Architecture

Before changing ports, it is important to understand the traffic flow.

BigFix Console
       │
       │ TCP
       ▼
BigFix Root Server
       │
       │ TCP
       ▼
Top-Level Relays
       │
       │ TCP
       ▼
Secondary Relays
       │
       │ TCP
       ▼
BigFix Clients

All these components use the same configured port defined in the masthead.

Default Ports in BigFix

Component Default Port Protocol
Client ↔ Relay 52311 TCP
Relay ↔ Server 52311 TCP
Console ↔ Server 52311 TCP
Web Reports 8080 / 8443 HTTP / HTTPS
WebUI 80 / 443 HTTP / HTTPS

Note that WebUI and Web Reports ports are independent and are not impacted by changing the client communication port.

Important Prerequisites

Before changing the port:

:check_mark: Schedule a maintenance window
:check_mark: Backup the Masthead file
:check_mark: Document current relay topology
:check_mark: Ensure new firewall rules are pre-approved
:check_mark: Test the change in non-production environment

Step 1 — Update the Masthead Port

The masthead file controls the core configuration used by all BigFix clients.

Location:

Windows

C:\Program Files (x86)\BigFix Enterprise\BES Server\Masthead.afxm

Linux

/var/opt/BESServer/BESServer/Masthead.afxm

Open the file and locate:

_PortNumber=52311

Change it to the required port.

Example:

_PortNumber=55000

Save the file.

:warning: The masthead modification affects all new clients installed after the change.

Step 2 — Update Existing Clients Using BigFix

Existing clients will continue attempting to communicate on the old port.
To redirect them, deploy a client setting.

BigFix Client Setting

_BESClient_RelaySelect_Port

Example Action Script

setting "_BESClient_RelaySelect_Port"="55000" on "{now}" for client

Restart the client service after the change.

waithidden net stop BESClient
waithidden net start BESClient

Linux restart:

service besclient restart

Deploy this task to all endpoints.

Step 3 — Update Relay Configuration

Relays must also listen on the new port.

Deploy the same client setting to all relays.

_BESClient_RelaySelect_Port=55000

Then restart the relay service.

Windows:

net stop besrelay
net start besrelay

Linux:

service besrelay restart

Step 4 — Update Firewall Rules

Open the new port across the infrastructure.

Example rule:

Allow TCP 55000

Firewalls that may need updates:

  • Endpoint firewall

  • Relay firewall

  • Server firewall

  • Network firewalls between zones

  • DMZ firewall (if applicable)

Step 5 — Update the Console Connection

The BigFix Console connects to the Root Server using the same communication port.

When launching the console, specify the port:

servername:55000

If the port is changed successfully, the console will connect normally.

Step 6 — Restart BigFix Services

Restart the following services to ensure the change is applied.

On Root Server:

BES Root Server
BES FillDB
BES GatherDB

On Relays:

BES Relay

On Clients:

BES Client

Verification Steps

Test Port Connectivity

From endpoints or console machine:

telnet <relay_or_server> 55000

or

Test-NetConnection servername -Port 55000

Verify Client Setting

Use BigFix relevance:

setting "_BESClient_RelaySelect_Port" of client

Expected output:

55000

Check Client Logs

Windows:

C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__Global\Logs

Linux:

/var/opt/BESClient/__BESData/__Global/Logs

Look for:

Trying to connect to relay on port 55000

Troubleshooting

Clients Not Reporting After Port Change

Possible causes:

  • Firewall blocking the new port

  • Client settings not deployed

  • Relay not restarted

  • Incorrect masthead configuration

Check:

clientsettings.cfg

Console Cannot Connect

Verify:

  • Correct servername and port

  • Root Server service status

  • Firewall access

Best Practice Deployment Strategy

To minimize risk, use phased migration.

Phase 1

Change port on:

  • Root Server

  • One relay

  • Test endpoints

Phase 2

Change port on:

  • Remaining relays

Phase 3

Deploy client port setting globally.

Security Considerations

Changing ports can improve security posture, but it should not replace proper security controls.

Recommended controls:

  • Use TLS communication

  • Restrict relay access

  • Monitor traffic

  • Apply network segmentation

Summary

Changing the communication port in HCL BigFix involves updating:

:one: Masthead configuration
:two: Client relay port setting
:three: Relay configuration
:four: Firewall rules
:five: Console connection parameters

A controlled rollout ensures continuous endpoint management without service disruption.

Disclaimer:- This is untested in production environment and used GPT for composing.

2 Likes
3

Please note that this is not accurate. You cannot change the port defined in the masthead without generating a new masthead, which is essentially a new BigFix deployment. Please see Modifying port numbers for reference.