Small to medium-sized enterprises are increasingly seeking Managed Service Providers (MSPs) to help them keep their multiplatform endpoints continuously patched and compliant.
Using BigFix, MSPs can manage hundreds of thousands of endpoints via a single, low-cost, management server per 300K endpoints that is routinely supported by a single FTE and a multi-tenant platform that supports either centralized or delegated administration models. All of this translates into offering the highest quality service at the lowest total cost of ownership, resulting in more cost-effective solutions for end customers.
BigFix is typically installed in a centralized architecture like the one shown below. BigFix can manage thousands of separate customer environments – each with thousands of managed endpoints – without requiring a VPN connection to each client by leveraging BigFix relays. A BigFix relay is any managed endpoint with additional responsibilities that can also work as a distribution point. BigFix can also manage ‘roaming’ endpoints at home, offices, hotels, and cafes.
A single BigFix Enterprise Server at the MSP’s central site can manage up to 300,000 endpoints.
Top Level Relays (MSP Relays)
To manage customer endpoints, the MSP needs to separate the BigFix server from the public internet via one or more relays. Multiple top-level relays may be required over time as extra capacity dictates. Each top-level relay can support up to 1000 child relays, where each child relay is responsible for communicating back to the BigFix Server at the MSP. As a result, one top-level relay could support up to 1000 MSP-managed customers.
A second top-level relay is recommended for redundancy. With two top-level relays, an MSP could support up to 2000 child relays (or managed customers).
Client Relays (Customer Relays)
At each customer office managed by the MSP, it is recommended to install a BigFix Client Relay in their DMZ. By doing so, you avoid unnecessary traffic and greater bandwidth requirements due to each endpoint communicating back to the top-level relays.
A BigFix Client Relay can be installed on any existing server running Windows, Linux or UNIX already located in the DMZ. The Client Relay in the DMZ is simply a BigFix Agent configured to communicate back to a top-level relay. DMZ relays act as an intermediary to ensure secure transit of communication inbound and outbound from the BigFix Enterprise Server. If the Child Relay is a dedicated system, it can support up to 5000 managed endpoints.
Network and DNS Requirements
Ensure you have TCP ports 52311 open at both the MSP and client firewalls. The MSP should also designate the DNS name of the top-level relays for client registration described below. It is unnecessary to define DNS entries for the client relays in each customer network although you might want to for future network diagnosis purposes.
Endpoints for each customer need to register back to the MSP’s BigFix Enterprise Server. Direct communication from the endpoint to the BigFix Server is avoided by configuring remote clients to register via a nearby relay.
Most MSPs will allocate each of their customers a unique Client Identification (CID) as outlined in this wiki article. A CID is used so endpoints at a customer can be easily grouped together. The CID value is defined at endpoint registration with its relay or can be set from the BigFix console.
Once a CID is set for all the endpoints associated with a specific customer, a separate administrator account can be defined that permits only those endpoints that match the specified CID to be managed. BigFix incorporates Role Based Access Control to facilitate proper targeting of endpoints and the applicability of content and reporting. An MSP Administrator creates a set of customer roles, where each role defines a collection of permissions that correlates to a list of privileges. MSP Customers can then be assigned one or more roles according to the privileges that the MSP wishes to provide or delegate to its customers.
Custom Content Sites
There are circumstances that may arise whereby an MSP is required to manage and/or deploy custom content for a specific customer. To avoid all MSP-managed BigFix Clients downloading and evaluating the custom content, the MSP can create “Custom Sites” and subscribe only the BigFix Clients associated with a particular MSP customer to that site.
Also note that by default, the BigFix Operator accounts you create for each customer will have no access to the external content sites, such as Patches for Windows, Asset Discovery, Inventory & License, etc., so you will need to give “read” access for any of the external sites required by a customer-specific BigFix Console Operator account.
Running Actions to remote endpoints
With the above BigFix architecture in place, the administrator can deploy a patch to a remote endpoint and see its progress in real-time. This short video provides an overview of Windows patching using BigFix.
BigFix is an effective endpoint management solution for Managed Service Providers who require a multi-tenant endpoint management solution without the need for complex networking or server requirements.