BigFix Internet Relays
Through specially configured BigFix relays, BigFix Clients that are only connected to the Internet can be fully managed as if they were within the corporate network - no VPN required! Using this approach, computers that are outside of the corporate network (at home, in airports, at coffee shops, etc.) can be managed by BigFix including:
- BigFix Clients can report their updated properties and Fixlet status.
- BigFix Clients can enforce new security policies defined by a BigFix Console operator.
- BigFix Clients can accept new patch or application deployments.
This configuration is especially useful for managing mobile devices that may often be disconnected from the corporate network. The following architecture/design below shows a typical Internet-based BigFix Relay, as it would reside in a DMZ network:
Setting up an Internet-facing BigFix Relay is a matter of allowing external BigFix Clients to find and connect to a BigFix Relay. In our example design:
- A BigFix Relay would be deployed in a DMZ and the internal DMZ firewall would allow only BigFix traffic (HTTP Port 52311) between the DMZ relay and a designated BigFix Relay within the corporate network. The design above suggests bi-directional traffic as opposed to only allowing the Internet-facing BES Relay to initiate network connections to the BES Relay within the internal corporate network. This would allow for quicker BigFix Client response times since immediate notifications of new content would be made to the Internet-facing BES Relay thus maintaining a real-time synchronization of content. Should bi-directional communication between the Internet-facing BES Relay and the BES Relay in the corporate network not be allowed, the Internet-facing BES Relay will have to be configured to periodically poll its parent (the BES Relay within the corporate network) for new content. (See http://support.bigfix.com/bes/misc/besconfigsettings.html for more details about configuring command polling).
- Once BigFix Relay communication is established between the DMZ and the internal/corporate network, the external firewall would also have to be opened to allow Internet-based BigFix Client traffic (HTTP port 52311) to reach the DMZ relay. In addition, allowing ICMP traffic through the external firewall to the Internet-facing BigFix Relay can aid in the external client's auto-relay selection process.
- Next, a DNS-alias (or IP address) would be assigned to the BigFix Relay that would allow external BigFix Clients to find the DMZ-based Internet Relay. The DNS-alias must be resolvable to a specific IP address.
- The BigFix Relay must be made aware of the DNS-alias (or IP address). Do so by deploying the BigFix Support site task "BigFix Relay Setting: Name Override" to the DMZ-based Internet Relay.
- With the entire BigFix communication path established from the Internet through the DMZ-based Internet Relay and ultimately to the main BigFix Server, the next step depends on the various relay selection methods available in a given BigFix infrastructure/instance:
- Manual Relay Selection: BigFix Clients can be configured through the console to manually select the Internet-facing BigFix Relay's DNS-alias (or IP address) as their primary, secondary, or failover relay. (See http://support.bigfix.com/bes/misc/besconfigsettings.html for more details about the failover relay setting.)
- Automatic Relay Selection: If ICMP traffic has been allowed from the Internet to a DMZ-based Internet Relay, then automatic relay selection can be leveraged to allow BigFix Clients to find the closest BigFix Relay as they move from location to location (either within a corporate network or on the Internet). For external BigFix Clients on the Internet, the only relay they will likely be able to find and connect to will be the Internet-facing BigFix Relay (as more than likely, ICMP traffic from the Internet would be blocked to the BES Relays within the corporate network).
- Dynamic Policy Settings can be applied to Internet-based BigFix Clients to allow for configurations better suited to external agents. For example, since the normal notification method (a UDP ping on port 52311) for new content will likely not reach external BigFix Clients, dynamic settings can be used to have BigFix Clients check for new content more frequently than the default period of 24 hours. (See http://support.bigfix.com/cgi-bin/kbdirect.pl?id=185 for more information on setting up command-polling).
NOTE: Relay Affiliation, a feature introduced in BigFix 7.0 can also be leveraged to configure BigFix Clients to find the most appropriate BigFix Relay. (See http://support.bigfix.com/bes/install/besrelayaffiliation.html for more details).