"Work from home" has completely changed the way we did work in the past and made us quickly adapt to the situation. If you are still struggling with patching your external machines, here are some settings that can help make your life easier. Often times, networks are complex and pose complex issues - I will however try to simplify things and suggest solutions for the most common ones.
My company sent everyone home and our DMZ relay now has 6000 machines connecting to it. What can I do to spread the load?
BigFix Relays can support up to 2000 clients. You can always stand up multiple DMZ relays. If you want to stand up multiple relays, deploy the following client setting to your external machines: _BESClient_RelaySelect_FailoverRelayList. For details on how to stand up a DMZ relay, see https://www.linkedin.com/pulse/bigfix-easily-setup-internet-facing-relay-brad-sexton/?published=t
The setting allows the client to select the closest DMZ relay along with load balance so one relay does not get flooded with all of the clients. I also recommend adding an internal relay to this list as the first option. This internal machine should be something clients normally do not connect to. This is good to alarm you if you start having potential issues with one of your internal relays. So if you start seeing clients connecting to this internal failover relay, troubleshoot why the normal relay is not getting connections. So the value would be internalrelay;dmzrelay1;dmzrelay2
This setting works as follows: The BigFix agent looks to its last relay and tries to report back in. If that fails, it goes to the secondary. If the secondary fails, it starts at the failover list, first with the internal relay and then dmzrelay1 and then dmzrelay2. Say you are a global company. The first relay is in your main DMZ datacenter but you have a second datacenter in Europe or Asia. Put the second relay at the second location to spread out the load.
Once clients go on the DMZ they are not as responsive as on the network. What can I do?
Internally BigFix clients communicate on port 52311 and when you send an action to a client the server sends a UDP command on port 52311. Then the agent receives that request and reports back on TCP port 52311. Internally, if machines are not responsive, check and make sure UDP on 52311 is not blocked. Externally, UDP commands do not travel over the internet so we offer solutions.
Enable command polling. This is a good setting to have turned on internally and externally. By default, BigFix reports back regardless of an action every 24 hours. But externally, you might want to be more aggressive to have your agent report back maybe every 30 minutes and internally 60 minutes. But obviously you need to select values that fit your organization.
- _BESClient_Comm_CommandPollEnable
- _BESClient_Comm_CommandPollIntervalSeconds
Another setting that you should look to enabling is Persistent connections. For details, see https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_persistenconn2.html
Enable a client setting on your DMZ relay
-
_BESRelay_DMZ_ChildEnable
-
_BESRelay_PersistentConnection_Enabled
Then the relay your DMZ relay is talking to, needs to have this setting enabled: _BESRelay_DMZ_ParentEnable This enables a persistent connection between your relay in the DMZ and its parent relay on port 52311 and also requires port 52312 as a loopback.
Now on your workstations talking to the DMZ relay, enable this setting: _BESClient_PersistentConnection_Enabled
The makes your clients communicate and be more responsive one with command polling and have them check in at a greater interval and two with persistent connections.
I need to install the BigFix agent on a machine that is off the network. How can I do that where it checks in?
You can manually install the BigFix agent and if it is off network, make sure you install the agent with a clientsetting.cfg file in the same directory as the BigFix installer and masthead. This file can be created in notepad and you can add the following settings to get it talking to your BigFix environment off network.
Open notepad and add the following
- __RelaySelect_Automatic=0
- __RelayServer1=http://DMZRELAYNAME:52311/bfmirror/downloads
- _BESClient_RelaySelect_FailoverRelay=http://DMZRELAYNAME:52311/bfmirror/downloads
- _BESClient_SecureRegistration=Password set on your DMZ relay
Save the file as clientsettings.cfg and place it alongside your installer.
We also now offer MCM by using which your end users can enroll their devices in BigFix through a webpage and you can have the agent automatically installed. For details on how to set up MCM, see: https://www.linkedin.com/pulse/setup-bigfix-10-modern-client-agent-less-enrollment-brad-sexton/
Now that all of the machines are on the DMZ, when the outgoing network pipe gets flooded while patching
Starting in BigFix 10 Patch 1, there is a client setting (_BESClient_Download_Direct_Domainlist) that enables you to tell the client to download the payloads directly from the vendor. So if you are patching Windows machines that are at home, they can now use their home interweb to get the patch payloads directly from Microsoft, which would have been downloaded from your DMZ relay otherwise.
The values for the setting will be "*.adobe.com;*.apple.com;*.microsoft.com;*.bigfix.com;*.windowsupdate.com;*.ibm.com;*.google.com;*.mozilla.org"
When the machine comes back on the network however, change this value back to “ “
For details on how to set up a dynamic client settings policy - one policy for your internal machines and one policy for your external machines - see here: https://www.linkedin.com/pulse/bigfix-tune-control-your-client-fit-needs-brad-sexton/
Another option is to turn on bandwidth throttling. For details, see https://www.linkedin.com/pulse/bigfix-throttle-network-traffic-brad-sexton/
For detailed information on any of these client settings, refer to the official network documentation: https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/r_client_set.html