Manage Amazon (AWS), Azure or IBM Cloud instances with IBM BigFix

IBM BigFix provides clients with the ability to manage hundreds of thousands of endpoints from a single console.  These can be a range of operating system types such as Windows, Linux, Apple Mac OSX and Unix.  Oh, don’t forget mobile devices too!

You can install your BigFix environment with an relay running in your DMZ,  you can also manage your mobile workforce and public cloud resources too.  A BigFix relay is simply any existing BigFix agent thats been given a few more additional tasks.  They provide bandwidth and server scaling benefits and a proxy between externally managed devices and your internal network.

Your public instances will typically be Windows or Linux operating systems running on your public cloud of choice such as Amazon Web Services (AWS), Azure or IBM Cloud.


Configuring the BigFix Client for Public Internet Instances
Each operating system you wish to manage needs to have the BigFix agent installed.  IBM offers a range of agents for Windows, Mac OSX, IBM AIX, HP-UX and  Solaris.  The BigFix agent when it’s started, will attempt to register itself back to your BigFix server.  This will be via details stored within the actionsite.afxm  (renamed from the masthead.afxm file).  This file is unique to your BigFix server and is stored on your BigFix server in the Program Files (x86)\BigFix Enterprise\BES Installers\Client  directory.

Of course, if you have a public cloud instance the BigFx client won’t be able to reach your privately hosted BigFix server.  You need to provide the client a few additional details so it can ‘phone home’.   This will be your relay in the DMZ and it’s DNS name or IP address.  These details are stored in the clientsettings.cfg file.  The following article provides details on how to configure this, but all it requires is just one or two lines as shown in this example:


Of course, use your DNS server names. The clientsettings.cfg file is used when the BigFix client is installed.

Deploying your BigFix Clients
You may wish to deploy your BigFix clients using the client deployment tool, Active Directory or login script as I detailed here. However for a public cloud environment, some platforms provide image deployment capabilities. Much like VMware’s powerful image template feature, with your cloud provider you will create a ‘gold image’ with your desired operating system, fixes, software and BigFix agent installed. You need to follow the instructions in this article so the BigFix agent ready to work correctly as new instances are deployed from this image.

Amazon Web Services (AWS)
With AWS, you can create your gold image by creating an instance, shutting it down and selecting Actions – Create Image. You then have an AMI from which you can deploy new Instances as shown below. AWS provide the EC2Config service to also provide Sysprep and other image configuration features. 


With Softlayer, you can use the same approach with their Flex Image. Softlayer also provide the ability to execute a script which will be executed on a newly provisioned SoftLayer device, which is another approach to configure client settings if required.

Console Management
When your instances start for the first time, they will automatically register to the BigFix server and be visible in the console. You’ll then be able to provide the following services from your console. This is possible for your private AND public instances !

  • Patch Management – Operating System Patches, plus a number of 3rd party applications such as Java, Adobe etc.
  • Core Protection – Anti-virus/Anti-malware
  • Security and Compliance – security checklists such as CISDISA STIGFDCC and USGCB.
  • Software Usage
  • Remote Control

If you have BigFix baselines enabled, you can then be assured that those endpoints are automatically patched to a minimum level and an appropriate security posture is applied. IBM BigFix provides per server licensing, so you pay as those instances need to be managed. It would be great to hear from you if you’re managing Windows or Linux instances on AWS or Softlayer.



How will you support Windows XP after the 8th April 2014?

Buried inside many devices we don’t consider as PCs lurks Windows XP.  These are devices like cash registers, vending machines, parking meters and automatic teller machines (ATMs).

Whilst Linux is one alternative, Windows XP has provided the right mix of a reliability, multitasking and wide device support many organisations have needed.  This trusty operating system was released back in 2001 and it’s support is finally ending on April 8, 2014.   That’s less than 162 days from now!

atm-windows-xpFor your home PC, popping in a Windows 7 DVD and doing an upgrade isn’t a big deal. However for organisations running ‘purpose specific’ devices on XP, this will involve an incredible amount of time and effort.

A recent article by Kevin Casey from Information Week advised that presently “around 75% of ATMs in the U.S. are based on XP”.   I recently met with a retailer who advised their cash registers were tuned only for Windows XP.  They simply won’t have the CPU and memory resources to run Windows 7.   When you consider they have thousands of cash registers that might need to be replaced, it’s a significant outlay.  So many organisations are understandably looking for solutions to manage XP for longer if they can.

The good news is that IBM Endpoint Manager (IEM) continues to support the Windows XP operating system.   This includes our Core Protection module which provides anti-virus/anti-malware.   This capability is critical for ATM’s and cash registers,  as hackers being to target these devices.   For example, the reported example of malware detected on ATM’s in Mexico running Windows XP.

The Security and Compliance feature of IEM, consists of security checklists for Windows XP such as CIS, DISA STIG, FDCC and USGCB.

If you are in the position to upgrade these devices, IBM Endpoint Manager has an operating system deployment capability.  This means you can remotely upgrade these endpoints to Windows 7 or Windows 8  (whether that be in-place or bare metal).

IBM Endpoint Manager can protect hundreds of thousands of endpoints, even those connected on very low bandwidth and high latency networks. This capability ensures a bank running IEM can update their ATM’s reliably from a single console.   For another financial client SunTrust, this meant their patch cycle times reduced from 2-3 weeks to 2-3 days.

How are you preparing to migrate from Windows XP?   How will you support it if you don’t?