Through specially configured BigFix relays, BigFix Clients that are only connected to the Internet can be fully managed as if they were within the corporate network - no VPN required! Using this approach, computers that are outside of the corporate network (at home, in airports, at coffee shops, etc.) can be managed by BigFix including:

This configuration is especially useful for managing mobile devices that may often be disconnected from the corporate network. The following architecture/design below shows a typical Internet-based BigFix Relay, as it would reside in a DMZ network:

Setting up an Internet-facing BigFix Relay is a matter of allowing external BigFix Clients to find and connect to a BigFix Relay. In our example design:

  1. A BigFix Relay would be deployed in a DMZ and the internal DMZ firewall would allow only BigFix traffic (HTTP Port 52311) between the DMZ relay and a designated BigFix Relay within the corporate network. The design above suggests bi-directional traffic as opposed to only allowing the Internet-facing BES Relay to initiate network connections to the BES Relay within the internal corporate network. This would allow for quicker BigFix Client response times since immediate notifications of new content would be made to the Internet-facing BES Relay thus maintaining a real-time synchronization of content. Should bi-directional communication between the Internet-facing BES Relay and the BES Relay in the corporate network not be allowed, the Internet-facing BES Relay will have to be configured to periodically poll its parent (the BES Relay within the corporate network) for new content. (See for more details about configuring command polling).
  2. Once BigFix Relay communication is established between the DMZ and the internal/corporate network, the external firewall would also have to be opened to allow Internet-based BigFix Client traffic (HTTP port 52311) to reach the DMZ relay. In addition, allowing ICMP traffic through the external firewall to the Internet-facing BigFix Relay can aid in the external client's auto-relay selection process.
  3. Next, a DNS-alias (or IP address) would be assigned to the BigFix Relay that would allow external BigFix Clients to find the DMZ-based Internet Relay. The DNS-alias must be resolvable to a specific IP address.
  4. The BigFix Relay must be made aware of the DNS-alias (or IP address). Do so by deploying the BigFix Support site task "BigFix Relay Setting: Name Override" to the DMZ-based Internet Relay.
  5. With the entire BigFix communication path established from the Internet through the DMZ-based Internet Relay and ultimately to the main BigFix Server, the next step depends on the various relay selection methods available in a given BigFix infrastructure/instance:
  6. Dynamic Policy Settings can be applied to Internet-based BigFix Clients to allow for configurations better suited to external agents. For example, since the normal notification method (a UDP ping on port 52311) for new content will likely not reach external BigFix Clients, dynamic settings can be used to have BigFix Clients check for new content more frequently than the default period of 24 hours. (See for more information on setting upcommand-polling).

Note that you should consider disabling the "Relay Diagnostics" page at http://relayname:port/rd for Internet Relays by setting the client setting "_BESRelay_Diagnostics_Enable" = "0".