Installing TEM in an Air-Gapped Network (7.2 or prior)

This page has not been liked. Updated 4/15/14, 6:31 AM by KarenKueTags: None

This page covers information that is specific for versions 7.2 or earlier.

The instructions for later versions of IBM Endpoint Manager may vary. For more information, see the following links:

  • For TEM 8.x , see here.
  • For IEM 9.0, see here.
  • For IEM 9.1, see here


Step 1: Setting up the Network

In addition to the TEM Server which is being configured on the isolated network, you will need a computer which has access to the public Internet, the 'Gathering Computer'. The Gathering Computer will be used to download Fixlet content and file downloads, which will then be transferred to the TEM Server on the isolated network. The Gathering Computer should not be a TEM Relay or a TEM Server.

Note: The first section must be completed on a computer with Internet access.

On a computer that has internet access using the standard installation instructions. Follow steps 1 though 8 using the licensing authorization file you have been provided in email. This will generate the licensing files you need: License.pvk and License.crt. These files and your password is all that Internet computer will be needed for to generate the licensing information.

Continue running the setup process on the TEM Server on the internal network using the standard installation instructions ( from step 9. And now select the option "Use a production License I already have" and continue the installation. When the TEM Server installation is complete, subscribe to each Fixlet site that you are licensed to use by double-clicking on the Fixlet site mastheads and loading them in the TEM Console.

After you subscribe to each Fixlet site masthead, you will not be able to actually gather the Fixlets into the database (because of the air gap), and the TEM Console will display a status of "Gathering site ...".

After the internal TEM Server is set up, download the Make Mirror Archive Tool. This tool will be used for downloading fixlets and compressing them into the format to take to the TEM Server. The utility will only need to be run on the Gathering Computer and the files it generates will be manually transffered to the Main TEM Server. Keeping the tool and the data on removable media, like a USB key, is preferred.

Step 2: Transferring Fixlet Content

In order to make Fixlet Content available on the isolated network, it will need to be transferred in from the Gathering Computer. You will run the MakeMirrorArchive.exe on the Gathering Computer and transfer the resulting files to the Main TEM Server. Perform the following steps to update the Fixlet content on the TEM Server on initial installation and all subsequent updates.

  1. Locate your Fixlet site subscription mastheads and copy them to the Gathering Computer. These mastheads will have been emailed with your license token.

    Important Note: Make sure the Internal TEM Server has been subscribed to the Fixlet sites.
  2. Run the following command on the Gathering Computer:

    MakeMirrorArchive.exe sitemasthead.efxm

    You should see data files get created, but the only file that you will need to move to the server starts with "archive_". This step will need to be done for each site to which you subscribe, for example, "BES Support.efxm", would be the masthead for the default site "BES Support".
  3. Move the "archive_" files to the Main TEM Server. All the individual archive files will need to be put in the "Inbox" folder of the Main TEM Server. The "Inbox" folder can be located in the TEM Server install folder and the default is "C:\Program Files\Bigfix Enterprise\BES Server\Mirror Server\Inbox". The TEM Server will automatically read in the files after they are put into the Inbox and you should see the files disappear very soon after copying them over.

    Note: If you don't see the Fixlets appear in the TEM Console shortly after the files disappear from the Inbox, then please verify that you are subscribed to the Fixlet site on the Internal BigFix Server.
  4. To keep the main TEM Server up-to-date when new Fixlet content is released, repeat these steps periodically to update the Fixlet content on the main TEM Server. You can join the new Fixlet mailing list here to receive notifications on when Fixlets are updated.


Step 3: Transferring Downloaded Files

Deploying Fixlets on the main TEM Server will likely require downloaded patches and other files from the Internet. Included in the TEM Air Gap Package is the TEM Download Cacher utility. This utility will help you in downloading and transferring files to the main TEM Server. The utility can help to download every patch in a Fixlet site or single file downloads from a URL. You can download the current utility here.

Some sites require additional steps to download content from patch vendors that restric access, please see the following Knowledge documents that describe using a tool to manually download patch binary data for Solaris, Red Hat Enterprise Linux, SuSE Linux Enterprise, and AIX. These sites would require a three step process:

  1. Run the BESAirgapTool.exe as described above to download Fixlets and Tasks for each site,
  2. Run the TEM Download Cacher utility to download any site tools from IBM TEM, and
  3. Run the download tool for each vendor to download patch contents.

Transfering all files from Fixlet sites

  1. Locate the masthead file (.efxm file) for the site you want to gather downloads.
  2. Run the TEM Download Cacher utility with the following command:

    BES_Download_Cacher.exe -m <MyMasthead.efxm> -x downloads

    This could take a very long time as it will download every file referenced in the Fixlet site (maybe several Gigabytes) and put the files in the "downloads" folder. Note that if the files already exist in the "downloads" folder, they will not be re-downloaded. Files will be named with their sha1 checksum.
  3. When the download finishes, copy the contents of the downloads folder (just the files, not the folder) into the sha1 folder on the main TEM Server. The default location for the sha1 folder is "C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfmirror\downloads\sha1". The TEM Server will use these files instead of trying to download them from the internet.
  4. If you run the download cacher later, you can look at the modification time of the files to see which are the newest files that are downloaded. Using this method, you can transfer only the newest files to the Main TEM Server instead of copying every file each time.

If you need to download a single file (instead of all the files of a Fixlet site), use the instructions below:

Transfering a single file

  1. Run the TEM Download Cacher utility with the following command:

    BES_Download_Cacher.exe -u <url> -x downloads
  2. When the download finishes, copy the contents of the downloads folder (just the file, not the folder) into the sha1 folder on the main TEM Server.

You may need to increase the size of the cache on the main TEM Server so that it does not try to empty any files from the cache. Use the TEM Download Cacher to increase the size of the cache with the command:

BES_Download_Cacher.exe -c <Cache Size(Bytes)>


The default size is 1024 MB.

After the files are cached in the TEM Server sha1 folder, they will be automatically delivered to the TEM Relays/Clients when you click on an action in the Fixlet message that references a downloaded file. If the file is not cached, the TEM Console will give you a status of "Waiting for Mirror Server" indefinitely after you deploy an action. More information about how the TEM cache works is available here.