IBM BigFix provides clients with the ability to manage hundreds of thousands of endpoints from a single console. These can be a range of operating system types such as Windows, Linux, Apple Mac OSX and Unix. Oh, don’t forget mobile devices too!
You can install your BigFix environment with an relay running in your DMZ, you can also manage your mobile workforce and public cloud resources too. A BigFix relay is simply any existing IEM agent thats been given a few more additional tasks. They provide bandwidth and server scaling benefits and a proxy between externally managed devices and your internal network.
Your public instances will typically be Windows or Linux operating systems running on your public cloud of choice such as Amazon Web Services (AWS), IBM Softlayer or Microsoft Azure.
Configuring the IEM Client for Public Internet Instances
Each operating system you wish to manage needs to have the BigFix agent installed. IBM offers a range of agents for Windows, Mac OSX, IBM AIX, HP-UX and Solaris. The BigFix agent when it’s started, will attempt to register itself back to your BigFix server. This will be via details stored within the actionsite.afxm (renamed from the masthead.afxm file). This file is unique to your IEM server and is stored on your IEM server in the Program Files (x86)\BigFix Enterprise\BES Installers\Client directory.
Of course, if you have a public cloud instance the BigFx client won’t be able to reach your privately hosted BigFix server. You need to provide the client a few additional details so it can ‘phone home’. This will be your relay in the DMZ and it’s DNS name or IP address. These details are stored in the clientsettings.cfg file. The following article provides details on how to configure this, but all it requires is just one or two lines as shown in this example:
Of course, use your DNS server names. The clientsettings.cfg file is used when the BigFix client is installed.
Deploying your IEM Clients
You may wish to deploy your BigFix clients using the client deployment tool, Active Directory or login script as I detailed here. However for a public cloud environment, some platforms provide image deployment capabilities. Much like VMware’s powerful image template feature, with your cloud provider you will create a ‘gold image’ with your desired operating system, fixes, software and IEM agent installed. You need to follow the instructions in this article so the IEM agent ready to work correctly as new instances are deployed from this image.
Amazon Web Services (AWS)
With AWS, you can create your gold image by creating an instance, shutting it down and selecting Actions – Create Image. You then have an AMI from which you can deploy new Instances as shown below. AWS provide the EC2Config service to also provide Sysprep and other image configuration features.
With Softlayer, you can use the same approach with their Flex Image. Softlayer also provide the ability to execute a script which will be executed on a newly provisioned SoftLayer device, which is another approach to configure client settings if required.
When your instances start for the first time, they will automatically register to the BigFix server and be visible in the console. You’ll then be able to provide the following services from your console. This is possible for your private AND public instances !
- Patch Management – Operating System Patches, plus a number of 3rd party applications such as Java, Adobe etc.
- Core Protection – Anti-virus/Anti-malware
- Security and Compliance – security checklists such as CIS, DISA STIG, FDCC and USGCB.
- Software Usage
- Remote Control
If you have BigFix baselines enabled, you can then be assured that those endpoints are automatically patched to a minimum level and an appropriate security posture is applied. IBM BigFix provides per server licensing, so you pay as those instances need to be managed. It would be great to hear from you if you’re managing Windows or Linux instances on AWS or Softlayer.