edit: removed reference to the masthead, in the new version I don’t think that’s required anymore, just the serial number and registration email address.
Since it’s a new environment, I’m assuming you’re on 9.5.
Have you read up on the airgap tool usage at https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_airgap_tool_overview_new.html ?
I’m running mine with “non-extraction usage” as described in the sub-link at https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Config/c_airgap_tool_NonExtr.html
Basically, on an Internet-connected workstation, you need to have the BESAirgapTool and your license information available. You use the BESAirgapTool to first create a site list (the sites available to you will vary based on your license). Then you edit the site listing file to mark which sites you wish to gather (download) from BigFix, then run the BESAirgapTool to gather those sites. Optionally, you may only gather the site data, or you may download the patch files referenced in the fixlets/tasks from the sites you gather (sha1 downloads).
Bring the resulting BESAirGap Response File to your airgapped server, and run the BESAirGapTool again to import those gathered sites into your BES deployment. You can also copy the downloaded patch files to wwwrootbes\bfmirror\downloads\sha1 to precache the patch downloads for your airgapped environment.
Also in the BES Server, as a Master Operator, you should use the “License Management” dashboard to subscribe to whatever sites you want available in the console (“Patches for Windows”, “Patches for RHEL 7”, etc.), and configure whatever computer subscription rules you want for those sites and which operators should be able to view the sites. Whatever you wish to subscribe needs to be included in the site list you used to gather with the BESAirgapTool.
If you’re gathering Red Hat patches, you’ll also need to use the RHSMDownloadCacher to build local RPM repositories, configure the RHSMDownloadPlugin on your root server, and bring in the patch downloads from the RHSMDownloadCacher to your BES Server’s RHSMPlugin cache folder.
Repeat this each day or however frequently you wish to gather new content.
It’s workable, but if at all possible it is much more maintainable to use a proxy server and grant your BES Root server Internet access. The clients and relays won’t need to gather sites or perform patch downloads, it’s only the root server that would need such access.