BigFix - Create a False Root Server
What is a False Root Server?
By default In BigFix when a client initially checks in it looks to its masthead file to add itself to the environment.? When environments get larger you want to limit clients reporting back to your main BigFix server so the main BigFix server can focus on other task and improve efficiency.? In the past you could change your internal DNS so that your BIGFIXSERVERNAME didn’t resolve to your root BigFix server and resolved to a relay.? This was a way to limit communication to your BigFix server and allow clients to register properly.? You would then modify the host file of your false root server and make it so only the Falseroot could resolve BIGFIXSERVERNAME and would be the only machine talking to root server.
?
Why do I want a False Root Server?
To limit the number of clients trying to report back to your BigFix Server.? This increases your performance.? Also, by chance all of your relay servers go down instead of having all of your clients report back to your BigFix server they can report to the false root.? This will offload the pain your BigFix server would see and allow you process actions faster in crisis.? Once your BigFix server grows past a certain point (say 10,000 or more devices) ?it makes sense to look into implementing.
?
In a 9.5 release they allowed you to configure a false root using the Besadmin tool using the last fallback relay setting.
On your BigFix Server open the BigFix Administration Tool
Edit Masthead
Here we are going to use fallbackrelay.company.com
领英推荐
?
Internally this DNS name is going to register to our fallbackrelay with an address of 192.168.34.12
?
Externally we will have the DNS name register to our DMZ relay.?
?
?
Once you make the change wait a few minutes and the change will propagate to your masthead. You can open your local clients masthead in notepad and look for this line
?
?
At the network level you can now restrict it so only traffic from your Falseroot and top level relays to communicate on 52311 to your BigFix server.? This will stop clients from registering with your main BigFix server going forward and they will register on and to falseroot.company.com.
?
?
Now when you install a new client you can check and see if the client installs and registers successfully to your false root and not your main BigFix server
Treating Customers as the Lifeblood of the Business
3 个月Dear BigFix admins reading this. An hour of effort up front, right now, before you realize you need this will save you a very bad day in the future. This is your ounce of prevention, apply it now while it's easy.
Fake Root = Real Life Win