Installing BigFix in an Air-Gapped Network

If you are using BigFix 8.0 or newer, please see http://support.bigfix.com/bes/install/airgapnetwork.html.

Step 1: Setting up the Network

In addition to the BES Server which is being configured on the isolated network, you will need a computer which has access to the public Internet, the 'Gathering Computer'. The Gathering Computer will be used to download Fixlet content and file downloads, which will then be transferred to the BES Server on the isolated network. The Gathering Computer should not be a BES Relay or a BES Server.

Note: The first section must be completed on a computer with Internet access.

On a computer that has internet access using the standard installation instructions. Follow steps 1 though 8 using the licensing authorization file you have been provided in email. This will generate the licensing files you need: License.pvk and License.crt. These files and your password is all that Internet computer will be needed for to generate the licensing information.

Continue running the setup process on the BES Server on the internal network using the standard installation instructions (http://support.bigfix.com/bes/install/besinstall.html) from step 9. And now select the option "Use a production License I already have" and continue the installation. When the BES Server installation is complete, subscribe to each Fixlet site that you are licensed to use by double-clicking on the Fixlet site mastheads and loading them in the BES Console.

After you subscribe to each Fixlet site masthead, you will not be able to actually gather the Fixlets into the database (because of the air gap), and the BES Console will display a status of "Gathering site ...".

After the internal BES Server is set up, download the Make Mirror Archive Tool. This tool will be used for downloading fixlets and compressing them into the format to take to the BES Server. The utility will only need to be run on the Gathering Computer and the files it generates will be manually transfered to the Main BES Server. Keeping the tool and the data on removable media, like a usb key, is preferred.

Step 2: Transferring Fixlet Content

In order to make Fixlet Content available on the isolated network, it will need to be transferred in from the Gathering Computer. You will run the MakeMirrorArchive.exe on the Gathering Computer and transfer the resulting files to the Main BES Server. Perform the following steps to update the Fixlet content on the BES Server on initial installation and all subsequent updates.

  1. Locate your Fixlet site subscription mastheads and copy them to the Gathering Computer. These mastheads will have been emailed with your license token.
    Important Note: Make sure the Internal BES Server has been subscribed to the Fixlet sites.

  2. Run the following command on the Gathering Computer:
    MakeMirrorArchive.exe sitemasthead.efxm
    You should see data files get created, but the only file that you will need to move to the server starts with "archive_". This step will need to be done for each site to which you subscribe, for example, "BES Support.efxm", would be the masthead for the default site "BES Support".

  3. Move the "archive_" files to the Main BES Server. All the individual archive files will need to be put in the "Inbox" folder of the Main BES Server. The "Inbox" folder can be located in the BES Server install folder and the default is "C:\Program Files\Bigfix Enterprise\BES Server\Mirror Server\Inbox". The BES Server will automatically read in the files after they are put into the Inbox and you should see the files disappear very soon after copying them over.
    Note: If you don't see the Fixlets appear in the BES Console shortly after the files disappear from the Inbox, then please verify that you are subscribed to the Fixlet site on the Internal BigFix Server.

  4. To keep the main BES Server up-to-date when new Fixlet content is released, repeat these steps periodically to update the Fixlet content on the main BES Server. You can join the new Fixlet mailing list here to receive notifications on when Fixlets are updated.

Step 3: Transferring Downloaded Files

Deploying Fixlets on the main BES Server will likely require downloaded patches and other files from the Internet. Included in the BES Air Gap Package is the BES Download Cacher utility. This utility will help you in downloading and transferring files to the main BES Server. The utility can help to download every patch in a Fixlet site or single file downloads from a url. You can download the current utility here.

Transfering all files from Fixlet sites
  1. Locate the masthead file (.efxm file) for the site you want to gather downloads.

  2. Run the BES Download Cacher utility with the following command:
    BES_Download_Cacher.exe -m <MyMasthead.efxm> -x downloads
    This could take a very long time as it will download every file referenced in the Fixlet site (maybe several Gigabytes) and put the files in the "downloads" folder. Note that if the files already exist in the "downloads" folder, they will not be re-downloaded. Files will be named with their sha1 checksum.

  3. When the download finishes, copy the contents of the downloads folder (just the files, not the folder) into the sha1 folder on the main BES Server. The default location for the sha1 folder is "C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfmirror\downloads\sha1". The BES Server will use these files instead of trying to download them from the internet.

  4. If you run the download cacher later, you can look at the modification time of the files to see which are the newest files that are downloaded. Using this method, you can transfer only the newest files to the Main BES Server instead of copying every file each time.

If you need to download a single file (instead of all the files of a Fixlet site), use the instructions below:

Transfering a single file
  1. Run the BES Download Cacher utility with the following command:
    BES_Download_Cacher.exe -u <url> -x downloads

  2. When the download finishes, copy the contents of the downloads folder (just the file, not the folder) into the sha1 folder on the main BES Server.

You may need to increase the size of the cache on the main BES Server so that it does not try to empty any files from the cache. Use the BES Download Cacher to increase the size of the cache with the command:
BES_Download_Cacher.exe -c <Cache Size(Bytes)>

The default size is 1024 MB.

After the files are cached in the BES Server sha1 folder, they will be automatically delivered to the BES Relays/BES Clients when you click on an action in the Fixlet message that references a downloaded file. If the file is not cached, the BES Console will give you a status of "Waiting for Mirror Server" indefinitely after you deploy an action. More information about how the BES cache works is available here.