Explore NY Stream

— Kiaasa Dhanori Pune

BES quick installation & Big Fix Documentation

BigFix Enterprise Suite (BES) installation follows a clear three-part flow: create your license credentials, install the BES Server (with its database and relay), then deploy the BES Console and BES Clients to the endpoints you want to manage. This guide walks the full BigFix installation end to end and explains how to run day-to-day patching with Fixlets, Baselines, and Actions.

BES is the on-premises platform now sold as HCL BigFix (formerly BigFix, Inc., then IBM Tivoli Endpoint Manager / IBM BigFix). The architecture and workflow below are still accurate, but where the original wizard referenced end-of-life components such as MSDE 2000 or SQL Server 2000, modern BigFix uses a supported edition of Microsoft SQL Server instead. Treat any reference to those legacy databases as "install a current, supported SQL Server".

What BigFix (BES) is and why the install order matters

BigFix is an endpoint management and patch deployment platform. A lightweight agent (the BES Client) runs on every managed computer, continuously evaluates relevance expressions called Fixlets, and reports which patches, settings, or software actions apply. An administrator then signs and dispatches Actions from the BES Console, and the clients carry them out.

Because every component is bound to a cryptographically signed masthead and license, the order is not optional. You must generate the license and site credentials first, stand up the server (which hosts the database and the root relay), then attach the console and clients. Installing out of order leaves clients unable to verify the server's identity.

The core components

BES Server (Root Server): the brain. It stores all data in a SQL Server database, hosts the web reports, and acts as the root relay that clients connect to.
BES Relay: optional caching tier that offloads the server in large or distributed networks (the modern equivalent of the original "Root Server vs IIS" choice — the built-in BigFix root/relay is recommended over IIS for performance and simpler configuration).
BES Console: the operator GUI used to review Fixlets, build Baselines, and issue Actions.
BES Client (Agent): installed on every endpoint, including the server and console machines themselves.
Masthead, license certificate, and private key: the trust anchor that ties the whole deployment together.

Part 1: BigFix installation requirements and the masthead

Before any BigFix installation, prepare two machines (they can be the same box in a small lab, but separate them in production):

An install computer to generate the private key, create the masthead, and run the BES Console. This is often your admin workstation.
A server computer that meets the BES Server system requirements: a supported Windows Server, a supported SQL Server edition, adequate CPU/RAM/disk for your endpoint count, and the correct firewall ports open (the server listens on TCP 52311 by default).

You will also need a production license. In current BigFix this is delivered as a BES License Authorization file (extension .BESLicenseAuthorization) issued by HCL or an authorized reseller. If you only want to evaluate the platform, request a trial license rather than improvising one.

Two concepts worth understanding first

ODBC (Open Database Connectivity) is a standard API that lets an application talk to a database through a driver, regardless of the database engine behind it. Think of it as a translation layer: your application speaks ODBC, the driver speaks the database's native protocol. BES uses a SQL Server connection for its data store, and reporting tools can reach that data over ODBC.

A masthead (masthead.afxm) is the signed configuration file that every BES Client and Console needs to talk to the Fixlet/root server. It carries the site-specific information — server address, ports, and the public key — required to deploy and trust Fixlet content. Without the matching masthead, an endpoint cannot join the deployment.

Part 2: Create the license certificate, private key, and masthead

Perform these steps on the install computer. They produce three artifacts you must guard carefully: the private key (license.pvk), the license certificate (license.crt), and the masthead (masthead.afxm).

Download the current BigFix installer from the official HCL BigFix download site (the original support.bigfix.com URL is long retired — always pull from the vendor's current portal).
Run the installer and choose the Production installation type.
Select "Install using the License Authorization file". A wizard opens to create your private key and masthead.
Click Browse, select your .BESLicenseAuthorization file, and click Next.
Enter the DNS hostname or IP that clients will use to reach the server. Use a hostname (for example bigfix.companyname.com) rather than a raw IP — it gives you flexibility to move or re-IP the server later. This value is baked into the license and cannot be changed afterward; changing it later forces a brand-new license and a full reinstall.
Set a site credential password. This is the master password for the deployment, used whenever you add operators or edit masthead parameters. Treat it like a domain admin password — if you lose it, you must reinstall BES completely.
Save the private key (license.pvk) to a secure, dedicated folder (for example BES Site Credentials) with tight permissions, or to removable media. Anyone holding this key plus the password effectively controls every managed endpoint, so protect it accordingly. Losing it also forces a full reinstall.
Submit the request over the Internet. The wizard sends a signing request to the licensing service and saves the returned license certificate (license.crt). Your private key and password are never transmitted — only the public request is.
Back on the main screen, choose "Install with a production license I already have".
Select the license.crt you just saved.
Select the license.pvk from your site-credentials folder.
Set the action-site parameters (accept the defaults if you are unsure).
Enter the site credential password from step 6.
Save masthead.afxm into the same secure folder.
Choose where to generate the component installers. This step creates the BES Client, Console, and Server installers but does not install anything yet (default path C:\BESInstallers).

With the three credential files created, you are ready to install the server.

Part 3: BES component installation

Install the BES Server

On the server computer, run setup.exe from the generated Server installer folder (default C:\BESInstallers\Server), or launch "Install BES Server" from the installation guide.
Follow the prompts. When asked about the database, point the installer at a supported, currently licensed Microsoft SQL Server instance, or let it install the bundled SQL Server when offered. Do not deploy on MSDE 2000 or SQL Server 2000 — those are long out of support and unfit for production; the original instructions predate modern SQL releases.
When prompted, choose the built-in BigFix root/relay rather than IIS — it performs better and is simpler to configure.
Choose folders for the server binaries and web-report files.
Set a strong SQL Server sa (System Administrator) password for database administration tasks, and store it securely.
When prompted, supply the masthead.afxm, license.crt, and license.pvk from your site-credentials folder. Keeping these on removable media or a separate host adds a layer of protection.
Create the operators who will use the BES Console. Each operator automatically gets a database account and a set of publisher keys used to digitally sign actions.
- Deliver each operator's username, password, and key files to that person securely.
- Tick "Give this user the ability to administer management rights" to make a master operator with full control; otherwise you must grant rights per computer.
- At least one administrator (master operator) is required for BES to function.
- Enable Custom Actions for any operator who needs to run arbitrary commands on endpoints, not just the predefined Fixlet remediations.

After setup completes (or after a required reboot), the BES Diagnostics tool runs automatically to confirm every service is healthy. If you see red or yellow indicators, click Full Interface, open the affected report, and use the "?" link for the matching knowledge-base article. If a problem persists, contact BigFix/HCL support.

Install the BES Console

Run setup.exe from the Console installer folder (default C:\BESInstallers\Console) on the console machine, or use "Install BES Console" in the guide. After installation:

Launch the BES Console from the desktop icon.
Log on to the database with the administrative operator you created during server setup.
When prompted, select your publisher keys (the operator's private signing key — for example publisher.pvk). In a Citrix/published-app environment, point the console to the key location each new session and enter the operator password (store that password per your organization's secrets policy, such as a privileged-access vault — not a plaintext file).

The server then gathers the latest Fixlet content from your subscribed BigFix sites. This first sync can take a few minutes.

Install the BES Clients

The BES Client belongs on every computer you want to manage, including the server and console hosts. Install locally first with setup.exe from the Client folder (default C:\BESInstallers\Client), then deploy to the rest of the fleet using whichever method fits your environment:

Manual / network share: run the client setup.exe while logged in with local admin rights.
BES Client Deploy Tool: for Active Directory domains, push agents with a domain account (Start > Programs > BigFix Enterprise > BES Client Deploy on the install computer).
Login scripts that silently install the agent at logon.
Software-distribution tooling (Microsoft Endpoint Configuration Manager/SCCM, Intune, Tivoli, etc.).
Any existing app-deployment mechanism your network already uses.

Within roughly one to three minutes of installation, clients appear under Computers in the console and begin reporting relevant Fixlet messages. You can now patch and act across the network.

Working in the BES Console: Fixlets, Tasks, Baselines, and Actions

Once the BigFix installation is complete, day-to-day work happens in a handful of console areas:

Area	What it is
Fixlet	Vendor-supplied remediations — Microsoft and third-party patches, service packs, and updates. Each Fixlet's relevance decides which endpoints it applies to.
Task	Reusable custom actions you create (for example, push or configure software). New tasks appear under the Task menu.
Baseline	A named group of Fixlets bundled to deploy many patches at once.
Action	The actual deployment of a Baseline or Task to targeted computers. After you commit, it appears under Actions, where you can track progress.
Computers	Live inventory of every endpoint running a BES Client, filterable by retrieved properties such as OS.

Create an automatic computer group

Groups organize endpoints for targeting. Open the Tools menu and choose Create Automatic Computer Group, then define the membership criteria (for example, all Windows servers). Members join or leave automatically as their properties change, unlike manual groups.

Create a Baseline

Open Tools > Create New Baseline.
Give the Baseline a clear name.
Click Add Components to Group; the Fixlet inventory window opens.
Scroll to the Fixlets (patches) you want and select them — you can pick several at once.
Click OK and enter your BES admin password to commit.

Tip: the same Microsoft patch ID is often published as separate Fixlets per operating system. Click a Fixlet and scroll right to confirm which OS it targets before adding it.

Edit and maintain a Baseline

Patches go stale as vendors ship new versions, so prune Baselines regularly:

Go to the Baseline tab, select the Baseline, and choose Edit Custom Baseline.
Open Components. A "Source Fixlet differs" notice means a newer Fixlet superseded an old one; use View Source Fixlet for details.
Remove an obsolete Fixlet by clicking the delete (X) control — this can take a moment.
Add newer Fixlets via Add Components to Group, then click OK.
Enter the BES password to commit your changes.

Deploy an Action from a Baseline (security patching)

Open the Baseline, go to its Description tab, and click the deployment link to open the Take Action dialog.
Name the Action.
On the Target tab, choose specific computers — or paste a list of server names to patch many hosts at once.
On Constraints, set a start/end window so patching runs in your maintenance window.
On Execution, configure automatic retries (number of tries and the wait between them) and use temporal distribution to spread execution over a span of minutes — this avoids saturating the network when many clients act at once.
On Post-Action, set reboot behavior if the patches require a restart.
Click OK and enter the password to commit. The Action appears under the Actions tab; open it (or the Computers view) to watch progress per endpoint.

Build a server inventory report

Open the Computers tab.
In the left pane, expand By Retrieved Properties > By OS and click an OS (for example, a specific Windows Server version).
Matching endpoints populate the right pane. Add columns by selecting the properties you want.
Copy the results straight into Excel for reporting.

Push software with the Software Distribution Wizard

Open Wizards > Windows Software Distribution Wizard.
Name the task (for example, Nagios Push).
Set the relevance — which OS or condition the action applies to — by choosing the target OS.
Enter the full install command line to run.
Commit and enter the BES admin password. A reusable Task is created.
Edit the Task to customize the action — for example, stop a service, replace files, and restart the service after install.

Common pitfalls in a BigFix (BES) installation

Losing the private key or master password. Either one forces a complete reinstall. Back up license.pvk and the password in a secure vault before you go live.
Hard-coding an IP in the license. The server address is permanent once the certificate is created. Always use a DNS hostname so you can move the server later.
Skipping the agent on the server/console. The BES Server and Console hosts must also run the BES Client, or they won't be managed or patched.
Using an unsupported database. Never build production on MSDE 2000/SQL 2000. Use a current, supported SQL Server edition.
Patching without temporal distribution. Firing a large Action at every endpoint simultaneously can overwhelm relays and bandwidth. Stagger it.
Blocked port 52311. If clients never appear, confirm the default TCP 52311 path between agents, relays, and the root server is open.

Verification: confirm the deployment is healthy

Run the BES Diagnostics tool on the server — all indicators should be green.
Open the BES Console and confirm Fixlet content has synced (you should see current Microsoft and third-party patches).
Check the Computers tab — newly installed clients should report within 1–3 minutes.
Issue a harmless test Action (such as a property refresh) to a small group and confirm it completes.
Confirm a managed client's agent service is running and reachable on TCP 52311.

Key Takeaways

A BigFix (BES) installation has three phases: license/credentials, server + database, then console and clients — in that order.
The private key, license certificate, masthead, and master password are the trust anchor; lose any and you reinstall from scratch.
Choose a DNS hostname (never a raw IP) for the server address, because it is permanently baked into the license.
Modern BigFix runs on a supported SQL Server and the built-in root/relay — ignore the legacy MSDE 2000 / IIS references.
Routine work flows through Fixlets, Baselines, Actions, and the Software Distribution Wizard, with temporal distribution and reboot rules to control impact.

Frequently Asked Questions

What is the difference between a Fixlet, a Task, and a Baseline in BigFix?

A Fixlet is a single vendor-supplied remediation (usually a patch) with built-in relevance that targets only the applicable endpoints. A Task is a custom, reusable action you author yourself, such as pushing software. A Baseline bundles many Fixlets (or Tasks) so you can deploy a whole patch set in one Action.

What happens if I lose the BigFix private key or master password?

You must perform a complete reinstall. The private key and site-credential password are the deployment's root of trust and cannot be recovered or reset. Store license.pvk and the password in a secure vault or on protected removable media before going to production.

Is BES the same as IBM BigFix or HCL BigFix?

Yes — it is the same product line under different owners over time. BigFix Enterprise Suite (BES) became IBM Tivoli Endpoint Manager / IBM BigFix, and is now sold and supported as HCL BigFix. The architecture (server, console, clients, Fixlets, masthead) is consistent across these versions.

Which network port does the BigFix client use?

By default the BES Client, relays, and root server communicate over TCP 52311. If endpoints never appear in the Computers list, verify that this port is open end to end through firewalls and any intervening relays.

For more hands-on system administration and endpoint-management walkthroughs, subscribe to @explorenystream on YouTube.