BigFix for Remote Workforces
Thanks to the novel coronavirus, most of our users are now logging in from home. While this flexibility allows businesses to maintain operations in this extraordinary time it raises several challenges for IT administrators and IT security professionals. Thankfully, HCL BigFix is designed to take remote endpoints into account and provides almost the same management and reporting capability for remote clients.
In an endeavor to support remote clients who are not connected to a VPN, you must have a BigFix relay exposed to the Internet. You'll need to work with your networking professionals to establish a DNS name on the public internet and open communications on port 52311 to that server. The best DNS name to use for a BigFix infrastructure that is already built would be your BigFix root or false root DNS name.
Because this configuration will send data about your computers over the internet you will want to enable encryption. This can be accomplished via the BigFix Administration Tool; however, you will need to ensure that all of your relays and the root server have sufficient processing power to handle the encryption and you will need to distribute the encryption key to all of your relays for them to process encrypted messages. You may also want to enable the enhanced security configuration. The current configuration for BigFix uses the SHA-1 hashing algorithm to validate files. This hashing algorithm has been thoroughly defeated with a chosen prefix collision – meaning an adversary could use a specially crafted file to fool the BigFix environment into distributing something other than the intended file. The enhanced security configuration uses the SHA-256 hashing algorithm which is still secure.
Once you've enabled the proper security for your BigFix infrastructure to accept reports from the Internet and clients are able to find the DMZ relay, they will function much as other BigFix clients. The only exception is that these clients will not receive UDP notifications of new content. They will either only check for new content on the client gather interval OR via a command polling configuration. By enabling command polling and setting an appropriate command polling interval you can ensure that clients receive new content within a reasonable amount of time and that the resources of our internet-facing relay (or relays) are not overwhelmed. In another post, we'll discuss appropriate client settings for various types of remotely-connected clients.