Hi All,
I have a few servers in a DMZ that the bigfix server cannot communicate with. What is the right way to go about managing those servers with BigFix. Can I add a relay agent to a server in the DMZ, if so what ports need to be open?
I only found this one document but seems cumbersome. I wouldn’t want to do this on all of the servers that I have in the DMZ.
Thanks,
You could certainly deploy a Relay within the DMZ and enable point-to-point connectivity on port 52311 by default (TCP), then configure the machines in the DMZ to communicate with the DMZ-based Relay. Here’s a sample architecture diagram that may help: https://www.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Adm/c_efficient_relay_setup.html
Great thanks, so If I install the relay agent manually on a DMZ server using this https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_cli_setup_relay.html
The next step is to poke a hole through the firewall and allow port 52311 and then I should be able to push the BigFix agent out to all the servers in the DMZ?
It depends if the bigfix service name resolves in the DMZ the same as internal.
You’ll probably have to create a clientsettings.cfg to use during the install to specify where the DMZ servers need to look for bigfix. For Example:
IP:http://BigFixDMZAddress:52311/bfmirror/downloads/
__RelayServer1=http://BigFixDMZAddress:52311/bfmirror/downloads/
_BESClient_Inspector_ActiveDirectory_Refresh_Seconds=43200
_BESClient_Log_Days=10