IBM Support What's New?

What are the network requirements for Tivoli Endpoint Manager Clients to access the BigFix Server?

Technote (troubleshooting)


Problem(Abstract)

BigFix Clients communicate with the BigFix Server by connecting to a web server using the TCP/IP protocol over a configurable port (default port is 52311). The BigFix Server communicates with the BigFix Clients by sending UDP packets over a configurable port (default port is 52311). The BigFix Server communicates with BigFix Relays using TCP/IP protocol over a configurable port (default port is 52311).

Resolving the problem

Communication between BigFix Clients and the BigFix Server occurs as follows:

Note: We do not test using NAT'd configurations. All components assume they are connecting using the ports configured and defined in the masthead of the deployment (default: 52311)
  • BigFix Clients communicate with the BigFix Server by connecting to a web server using the TCP/IP protocol over a configurable port (default port is 52311). Using this mechanism, the BigFix Clients gather the latest Fixlet messages, report relevant Fixlet messages, report action status, etc.
  • The BigFix Server communicates with the BigFix Clients by sending UDP packets over a configurable port (default port is 52311). Using this mechanism, the BigFix Server notifies the BigFix Clients about a new site that has been gathered, about refreshes, etc.
  • The BigFix Server communicates with BigFix Relays using TCP/IP protocol over a configurable port (default port is 52311) to tell the BigFix Relays about new actions, Fixlet messages, etc.

In order for BigFix to work properly, BigFix Clients must be able to access the server on the specified IP address (or hostname) and port number. However, it is not necessary that the BigFix Server be able to reach the BigFix Clients because the BigFix Clients periodically check in to the BigFix Server to see if there is any new data (this is known as the 'action site gather interval').

Note: Although this configuration works, there will often be a delay for the BigFix Clients to communicate with the BigFix Server when deploying an action and when a new Fixlet site is gathered. Sending a refresh to the BigFix Client will also not work.

The action site gather interval is configurable in the masthead and through a custom action. See KB article 185 for more information. Examples of configurations that will work with BigFix are:

  • The BigFix Clients and the BigFix Server are on the same LAN with no firewalls or NATs in between.
  • The BigFix Clients and the BigFix Server are located in different geographic areas, but a VPN connection allows the BigFix Clients to access the BigFix Server on the specified port.
  • The BigFix Server is located outside of a firewall with a publicly accessible IP address and the BigFix Clients are located within a LAN.
    Note: Although this configuration will work, for security reasons we recommend that the BigFix Server be located inside a LAN with a firewall protecting it from public access.

Examples of configurations that will not work with BigFix are:

  • The BigFix Clients are located outside of a LAN and they cannot access the IP address of the BigFix Server located within the LAN
  • A firewall or some other device between the BigFix Client and the BigFix Server, blocks the port that BigFix is configured to use.
Untested configurations include the following:
  • Configurations where the BigFix Client is separated from its parent using VPN software
  • Configurations where a NAT device separates the BigFix Client from its parent.
The client will attempt to communicate via the defined port for the deployment via the standard TCP/IP networking of the client.

Historical Number

37

Document information

More support for: IBM BigFix family

Software version: Version Independent

Operating system(s): Platform Independent

Software edition: Edition Independent

Reference #: 1505811

Modified date: 2015-12-01