Installing in an Air-Gapped Network

1 like Updated 10/24/14 5:46 AM by KarenKueTags: None

This page covers AirGap installation instructions for TEM 8.2.

The installation instructions for each IBM Endpoint Manager version might vary. For more information, see the following links:

  • For BigFix 7.2 or earlier, see here.
  • For IEM 9.0, see here.
  • For IEM 9.1, see here
  • For IEM 9.2, see here.

Step 1: Setting up the Network

Note: The AirGap method does not support a configuration where the clients are air-gapped separately from the main TEM server. The clients must be air-gapped along with the main TEM server. The clients must be able to gather across the network from the main TEM server.



In addition to the TEM Server which is being configured on the isolated network, you will need two computers which have access to the public Internet: a 'Site Gathering Computer' and a 'Patch Download Computer'. The Site Gathering Computer will be used to download Fixlet site content using the BESAirgapTool.exe utility, and the Patch Download Computer will be used to download files referenced in Fixlet action scripts. Both the downloaded site content and files will be transferred to the TEM Server on the isolated network. The Site Gathering Computer cannot be a TEM Server or a TEM Relay; the Patch Download Computer can be either a TEM Server or a TEM Relay.

On a computer that has Internet access using the IBM TEM License Authorization file you have been provided, follow the standard installation instructions up through Part 2, Step 10. This will generate the site's license (license.pvk and license.crt) and masthead (masthead.afxm) files. These files and the private key password are all that are needed to generate the appropriate licensing information. Copy these files to the TEM Server on the isolated network.



On the TEM Server computer on the isolated network, follow the standard installation instructions, but at Part 2, Step 3 choose the option “I want to install with an existing masthead”. A dialog will open that will take you through the steps of selecting the masthead file (masthead.afxm). Continue following the standard installation instructions from Part 2, Step 11.

When the TEM Server, TEM Console, and TEM Client installations are complete, an initial gathering of the BES Support site content will need to be performed using the BESAirgapTool.exe utility (see "Step 2: Transferring Fixlet Content" below) in order to obtain a list of all Fixlet sites for which you are licensed. Once the initial gather is performed, start the TEM Console and navigate to the BigFix Management domain, License Overview dashboard and enable each Fixlet site as desired.

Step 2: Transferring Fixlet Content

Go to the TEM Server install directory (C:\Program Files\BigFix Enterprise\BES Server\BESAirgapTool.exe), and run the tool from there.

In order to make Fixlet content and product license updates available on the isolated network, the tool will need to be transferred in from a computer with internet connectivity using the following steps:

  1. Run the BESAirgapTool.exe on the TEM Server computer to create a Fixlet update request file. This file will be saved to a portable drive along with the BESAirgapTool.exe, and the following dlls: libBEScrypto_1_0_0_1.dll, and libBEScrypto_1_0_0_4.dll. The BesAirgapTool will not run successfully without those 2 dll files included in the same directory as BESAirgapTool.exe.
  2. Bring the portable drive to a computer with internet connectivity and run the BESAirgapTool.exe. This will exchange the request file for a response file.
  3. Bring the portable drive back to the TEM Server computer and again run the BESAirgapTool.exe. This will import the response file with Fixlet content and license updates into your deployment.

To keep the main TEM Server up-to-date when new Fixlet content is released, repeat these steps periodically to update the Fixlet content on the main TEM Server. You can join the new Fixlet mailing list to receive notifications on when Fixlets are updated.

Note on using the BESAirgapTool.exe through a Proxy: http://www.ibm.com/developerworks/forums/thread.jspa?threadID=405499&tstart=555

Additional Notes on using BESAirgapTool.exe through a Proxy for v8.2.1310 and higher:

Add the environment variable "all_proxy" to have a value in the form:
[protocol://][user:password@]machine[:port]

Review the following URL for further details: http://curl.haxx.se/libcurl/c/libcurl-tutorial.html#Proxies

Note that v8.2.1310 of the AirGap tool does not function properly. Download v8.2.1312 from the Utilities page.

Step 3: Transferring Downloaded Files

Deploying Fixlets on the main TEM Server will likely require downloaded patches and other files from the Internet. Included in the BES Air Gap Package is the BES Download Cacher utility. This utility will help you in downloading and transferring files to the main BES Server. The utility can help to download patch contents in a Fixlet site or single file downloads from a url. You can download the current utility here. The BES Download Cacher utility can only be run on a machine that also has the BESRELAY service installed and running.

You can use the BES Download Cacher CMD line options and avoid the need for the machine to have the BESRelay service.

An example to download BES Asset Discovery:

BESDownloadCacher.exe -x C:\Temp -m "C:\BES Asset Discovery.efxm"



The C:\Temp directory must be created before the command is executed.

The BES Asset Discovery.efxm file was retrieved from the BES Client



The easiest way to get the .efxm files is from the BES

Client\__BESData\actionsite directory.  If you do not specify -m and a BESClient

is installed on the machine, then it will get the site mastheads from the

client's directory automatically.



It is easier to specify the -x option, by itself, if you are using a

networked machine with just a BES Client running on it.  It will then display a

list of site mastheads that it can use to download from.

BESDownloadCacher.exe -x C:\Temp

Note: If you run this from  a TEM client, be sure to run the CMD problem with Administrator privileges or this will fail to open the client directory.

 

Some sites require additional steps to download content from patch vendors that restrict access, please see the following Knowledge documents that describe using a tool to manually download patch binary data for Solaris, Red Hat Enterprise Linux, SuSE Linux Enterprise, and AIX. These sites would require a three step process; 1. Run the BESAirgapTool.exe as described above to download Fixlets and Tasks for each site, 2. Run the BES Download Cacher utility to download any site tools from IBM TEM, and 3. Run the download tool for each vendor to download patch contents.

Transfering all files from Fixlet sites

  1. Locate the masthead file (.efxm file) for the site you want to gather downloads.
  2. Run the BES Download Cacher utility with the following command:

    BES_Download_Cacher.exe -m -x downloads

    This could take a very long time as it will download every file referenced in the Fixlet site (maybe several Gigabytes) and put the files in the "downloads" folder. Note that if the files already exist in the "downloads" folder, they will not be re-downloaded. Files will be named with their sha1 checksum.
  3. When the download finishes, copy the contents of the downloads folder (just the files, not the folder) into the sha1 folder on the main TEM Server. The default location for the sha1 folder is "C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfmirror\downloads\sha1". The TEM Server will use these files instead of trying to download them from the internet.
  4. If you run the download cacher later, you can look at the modification time of the files to see which are the newest files that are downloaded. Using this method, you can transfer only the newest files to the Main TEM Server instead of copying every file each time.

You may need to increase the size of the cache on the main TEM Server so that it does not try to empty any files from the cache. Use the BES Download Cacher to increase the size of the cache with the command:

BES_Download_Cacher.exe -c

The default size of the cache is 1024 MB.

After the files are cached in the TEM Server sha1 folder, they will be automatically delivered to the TEM Relays/TEM Clients when you click on an action in the Fixlet message that references a downloaded file. If the file is not cached, the TEM Console will give you a status of "Waiting for Mirror Server" indefinitely after you deploy an action. More information about how the TEM cache works is available here.

Transferring a single file

  1. Run the BES Download Cacher utility with the following command:

    BES_Download_Cacher.exe -u -x downloads
  2. When the download finishes, copy the contents of the downloads folder (just the file, not the folder) into the sha1 folder on the main BES Server.

You may need to increase the size of the cache on the main TEM Server so that it does not try to empty any files from the cache. Use the BES Download Cacher to increase the size of the cache with the command:

BES_Download_Cacher.exe -c

The default size of the cache is 1024 MB.

For example:

C:\Users\Administrator\Downloads>BESDownloadCacher -c 3096



will set the maximum size of cache to 3096 MB

 

After the files are cached in the TEM Server sha1 folder, they will be automatically delivered to the TEM Relays/TEM Clients when you click on an action in the Fixlet message that references a downloaded file. If the file is not cached, the TEM Console will give you a status of "Waiting for Mirror Server" indefinitely after you deploy an action. More information about how the TEM cache works is available here.