The instructions for different versions of BigFix may vary. For more information, see the following links:

• For BigFix 11, see https://help.hcl-software.com/bigfix/11.0/platform/Platform/Config/c_airgap_tool_overview_new.html
• For BigFix 10, see https://help.hcl-software.com/bigfix/10.0/platform/Platform/Config/c_airgap_tool_overview_new.html

 

 

For older BigFix versions (deprecated)

 

Step 1: Setting up the Network

In addition to the BigFix Server which is being configured on the isolated network, you will need a computer which has access to the public Internet, the 'Gathering Computer'. The Gathering Computer will be used to download Fixlet content and file downloads, which will then be transferred to the BigFix Server on the isolated network. The Gathering Computer should not be a BigFix Relay or a BigFix Server.

Note: The first section must be completed on a computer with Internet access.

On a computer that has internet access using the standard installation instructions. Follow steps 1 though 8 using the licensing authorization file you have been provided in email. This will generate the licensing files you need: License.pvk and License.crt. These files and your password is all that Internet computer will be needed for to generate the licensing information.

Continue running the setup process on the BigFix Server on the internal network using the standard installation instructions (http://support.bigfix.com/bes/install/besinstall.html) from step 9. And now select the option "Use a production License I already have" and continue the installation. When the BigFix Server installation is complete, subscribe to each Fixlet site that you are licensed to use by double-clicking on the Fixlet site mastheads and loading them in the BigFix Console.

After you subscribe to each Fixlet site masthead, you will not be able to actually gather the Fixlets into the database (because of the air gap), and the BigFix Console will display a status of "Gathering site ...".

After the internal BigFix Server is set up, download the Make Mirror Archive Tool. This tool will be used for downloading fixlets and compressing them into the format to take to the BigFix Server. The utility will only need to be run on the Gathering Computer and the files it generates will be manually transffered to the Main BigFix Server. Keeping the tool and the data on removable media, like a USB key, is preferred.

Step 2: Transferring Fixlet Content

In order to make Fixlet Content available on the isolated network, it will need to be transferred in from the Gathering Computer. You will run the MakeMirrorArchive.exe on the Gathering Computer and transfer the resulting files to the Main BigFix Server. Perform the following steps to update the Fixlet content on the BigFix Server on initial installation and all subsequent updates.

1. Locate your Fixlet site subscription mastheads and copy them to the Gathering Computer. These mastheads will have been emailed with your license token.
   Important Note: Make sure the Internal BigFix Server has been subscribed to the Fixlet sites.
2. Run the following command on the Gathering Computer:
   MakeMirrorArchive.exe sitemasthead.efxm
   You should see data files get created, but the only file that you will need to move to the server starts with "archive_". This step will need to be done for each site to which you subscribe, for example, "BES Support.efxm", would be the masthead for the default site "BES Support".
3. Move the "archive_" files to the Main BigFix Server. All the individual archive files will need to be put in the "Inbox" folder of the Main BigFix Server. The "Inbox" folder can be located in the BigFix Server install folder and the default is "C:\Program Files\Bigfix Enterprise\BES Server\Mirror Server\Inbox". The BigFix Server will automatically read in the files after they are put into the Inbox and you should see the files disappear very soon after copying them over.
   Note: If you don't see the Fixlets appear in the BigFix Console shortly after the files disappear from the Inbox, then please verify that you are subscribed to the Fixlet site on the Internal BigFix Server.
4. To keep the main BigFix Server up-to-date when new Fixlet content is released, repeat these steps periodically to update the Fixlet content on the main BigFix Server. You can join the new Fixlet mailing list here to receive notifications on when Fixlets are updated.

 

Step 3: Transferring Downloaded Files

Deploying Fixlets on the main BigFix Server will likely require downloaded patches and other files from the Internet. Included in the BigFix Air Gap Package is the BigFix Download Cacher utility. This utility will help you in downloading and transferring files to the main BigFix Server. The utility can help to download every patch in a Fixlet site or single file downloads from a URL. You can download the current utility here.

Some sites require additional steps to download content from patch vendors that restric access.

See the following documents that describe using a tool to manually download patch binary data:

Solaris Download Cacher Tool

Steps to manually run the download cacher tool for Red Hat Enterprise Linux

How to use SuSE Linux Enterprise patch download tool

BigFix Download Cacher tool for AIX

These sites would require a three step process:

1. Run the BESAirgapTool.exe as described above to download Fixlets and Tasks for each site,
2. Run the BigFix Download Cacher utility to download any site tools from BigFix, and
3. Run the download tool for each vendor to download patch contents.

Transfering all files from Fixlet sites

1. Locate the masthead file (.efxm file) for the site you want to gather downloads.
2. Run the BigFix Download Cacher utility with the following command:
   BES_Download_Cacher.exe -m <MyMasthead.efxm> -x downloads
   This could take a very long time as it will download every file referenced in the Fixlet site (maybe several Gigabytes) and put the files in the "downloads" folder. Note that if the files already exist in the "downloads" folder, they will not be re-downloaded. Files will be named with their sha1 checksum.
3. When the download finishes, copy the contents of the downloads folder (just the files, not the folder) into the sha1 folder on the main BigFix Server. The default location for the sha1 folder is "C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfmirror\downloads\sha1". The BigFix Server will use these files instead of trying to download them from the internet.
4. If you run the download cacher later, you can look at the modification time of the files to see which are the newest files that are downloaded. Using this method, you can transfer only the newest files to the Main BigFix Server instead of copying every file each time.

If you need to download a single file (instead of all the files of a Fixlet site), use the instructions below:

Transfering a single file

1. Run the BigFix Download Cacher utility with the following command:
   BES_Download_Cacher.exe -u <url> -x downloads
2. When the download finishes, copy the contents of the downloads folder (just the file, not the folder) into the sha1 folder on the main BigFix Server.

You may need to increase the size of the cache on the main BigFix Server so that it does not try to empty any files from the cache. Use the BigFix Download Cacher to increase the size of the cache with the command:
BES_Download_Cacher.exe -c <Cache Size(Bytes)>

The default size is 1024 MB.

After the files are cached in the BigFix Server sha1 folder, they will be automatically delivered to the BigFix Relays/Clients when you click on an action in the Fixlet message that references a downloaded file. If the file is not cached, the BigFix Console will give you a status of "Waiting for Mirror Server" indefinitely after you deploy an action. More information about how the BigFix cache works is available here.