Remote Control Controller

Where is the Remote Control Controller typically installed? I get the impression that it can be install on a workstation that has the Bigfix console installed.

It can be on any Windows machine that is running the right version of Java Mike.

If you don’t have the controller installed, then you can use the remote control server web interface to access a client. Is that correct?

Does the controller communicate with the remote control server to get group membership and policies?

If the target is defined as managed, does the remote control session have to be from the server / web interface or can the session be initiated from a client with the controller installed.

Hi mbartosh,
You can install the Controller wherever you want and you don’t need the JVM to be installed. The Controller use it’s embedded IBM JVM so you don’t have to worry about that unless you are in “Managed mode”. The only constraint you may have is in case you want to handle your target by using the BigFix console and open P2P session from there without installing the server. In that case you need to install the controller in the computer where the BigFix Console is installed.

If you don’t have the controller installed, then you can use the remote control server web interface to access a client. Is that correct?

Yes. The Controller will be downloaded on the fly and executed using the browser Java plugin and you probably need the JVM in that case but the controller won’t be installed. Anyway depending on the security policies you may want the controller installed (For example FIPS require the controller to be installed ).

If the target is defined as managed, does the remote control session have to be from the server / web interface or can the session be initiated from a client with the controller installed.

It depends on the policies you set for your targets in the server. You can allow or disallow P2P session which are those initiate by a stand-alone controller. If P2P session is disabled you have to use the server webui in order to connect to the target.

I hope this will help
Federico

Hi Federico,

Thanks for your reply. I have a better understanding of the controller now. However, my understanding is that the controller will pull the remote control server policies so that the connection will be managed. Would this be considered a P2P managed connection?

We will generally have the controller installed on the PCs that our desktop support team uses. These PCs will also have the Bigfix console installed. In this case we would want to be able to start a remote control session from a right click in the Bigfix console.

However, we do have third parties outside our network that will need to connect to servers inside our data center. These systems could also have the controller installed, but they need to receive the policies from the RC Server so that they are limited to specific servers.

Thanks for your reply. I have a better understanding of the controller now. However, my understanding is that the controller will pull the remote control server policies so that the connection will be managed. Would this be considered a P2P managed connection?

The only thing that Managed and P2P mode have in common is that once a connection is established only the controller and the target are involved and communicate directly. The connection initiated in managed mode from the server webui works like this:

1. The user click on start session
2. The server checks if you have the rights for acting to the target
3. The server generate an authorization token an pass it to the controller
4. The controller is either downloaded or directly run if installed.
5. The controller connects to the server to and download the configuration from server
6. The controller connects directly to the target
7. The target connects to the server and check the token passed by the controller
8. The target updates the policies by downloading them from the server.
9. The controller is connected to the target.

In P2P mode all the accounting and authorization stuff are skipped. Of course you still have to provide the target machine credentials unless disabled in the target settings.

However in Managed mode you can also have a gateway or a gateway hierarchy and a broker. In that case the connection will involve also them. These components are not supported in P2P mode.

We will generally have the controller installed on the PCs that our desktop support team uses. These PCs will also have the Bigfix console installed. In this case we would want to be able to start a remote control session from a right click in the Bigfix console.

The BigFix console can start P2P sessions only. When you righ-click on a computer and click on “IBM BigFix Remote Control” the stand-alone Controller is opened and the fields are prefilled with the selected computer properties. This won’t work if you have disabled P2P mode on your targets or if you need a managed connection.

However, we do have third parties outside our network that will need to connect to servers inside our data center. These systems could also have the controller installed, but they need to receive the policies from the RC Server so that they are limited to specific servers.

I’m afraid that this is not currently supported. You can use a broker or ICB ( Internet connect broker ) only if you need to access targets which are on a different network reachable through internet. So in that case you start the broker session using the server webui and then giving the code to the operator you allow the target to join the session through the broker which is public available on internet. The main problems in your scenario are the following:

• The Remote Control Server is not supported on internet for security reasons.
• The broker session can only be started from the server webui so from a computer which is able to reach the server.
• The Third party probably can’t access the RC server network unless a VPN or something else is provided to access your company network.

I hope this help to have the whole picture

You said that the Remote Control Server is not supported for internet access for security reasons. If we add a broker server, it will be in the same network zone. Why does going through a broker provide more security?

Usually the broker is installed in a DMZ and is public accessible from internet.
The reason why is not secure putting the server in place of the broker in a DMZ is that if the server is compromised you can get access to all target information and even accessing all target in the worst scenario. In case that the machine where the broker is installed is compromised then there is no data leakage. We are looking at enable internet access for controllers via broker at some point in the future, but we don’t know yet when this will happen.