Relays in DMZ

The capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).

In an environment where a relay in DMZ reports to a parent relay within its intranet network, it can be assumed that all communications between intranet and DMZ pass through a firewall that does not allow any upstream communication. In this case, any attempt for the child relay in the DMZ to initiate communication with its parent relay will fail.

This restriction is overcome by establishing a persistent TCP connection between the parent relay and its child relay inside the DMZ. The persistent connection is always initiated by the parent relay. The communication cannot be initiated by the child relay due to network restrictions.

Overview

The following picture displays the persistent TCP connection established between parent relay and child relay:


dmz

In the picture are displayed:
  • In green: The persistent TCP connection established between the parent relay located in the more secure zone and the child relay located in the demilitarized zone.
  • In yellow and black: The line of the demilitarized zone (DMZ network).

Enabling persistent connections on both parent and child relay

On a child relay where the BigFix client was not registered on the BigFix server yet

  1. Log in to the BigFix Console.
  2. Run the Relays in DMZ: Enable Parent Relay and set Child Relay List Fixlet on the parent relay computer:
    Note: Before running the Fixlet, you must specify in the text field of the Description tab the list of child relays allowed.
  3. Manually install the BigFix client on the child computer. For more details, see Installing the client manually.
  4. Manually install the BigFix relay on the child computer by downloading the appropriate package depending on your operating system from the following web site: http://support.bigfix.com/bes/release/
    Note: In a typical scenario, run the Fixlet first on the parent relay and then manually configure the child relay.
  5. On the child computer, ensure that the client and relay processes are stopped.
  6. On a Windows child relay, add the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Settings\Client\_BESRelay_DMZ_ChildEnable key to the Windows registry and set its string REG_SZ value to 1.
  7. On a Linux child relay, if the besclient.config file does not already exist, make a copy of the file named besclient.config.default located in the /var/opt/BESClient/ directory and rename it into besclient.config. Manually edit the besclient.config by adding the following new section:
    [Software\BigFix\EnterpriseClient\Settings\Client\_BESRelay_DMZ_ChildEnable]
    value                          = 1
  8. Restart first the relay process.
  9. At least one minute after restarting the relay process, restart the client process.
Note: If your parent relay was configured as an authenticating relay, it might be necessary to temporarily disable the relay authentication to allow the child relay to register successfully for the first time. Enable again the relay authentication after your child relay was registered successfully.

On a child relay where the BigFix client was already registered on the BigFix server

  1. Log in to the BigFix Console.
  2. Run the Relays in DMZ: Enable Parent Relay and set Child Relay List Fixlet on the parent relay computer:
    Note: Before running the Fixlet, you must specify in the text field of the Description tab the list of child relays allowed.
  3. Run the Relays in DMZ: Enable Child Relay Fixlet on the child relay computer:
    Note: In a typical scenario, run the Fixlet first on the parent relay and then on the child relay.
  4. Both Fixlets will restart the relay process.

Establishing a persistent connection

The parent relay will try to open a socket to the child relay at port 52311.

The child relay can "grab" the socket used by the parent to communicate with it and keep it alive by sending ping messages periodically. At the same time, the child relay will start to listen on a different port such as 52312 only on its loopback address, this will be used to forward all the traffic through the socket opened by the parent that was previously grabbed.

All requests coming to the child relay that must be propagated upstream (for example during the registration of a client below the child relay or for reporting purposes) will be internally routed to the loopback address to be sent to the parent relay within the intranet.

Communicating on the persistent connection

To achieve the requirement, the parent relay initiates a communication with its own child relay and keeps the connection standing and persistent to, later on, use it from the child relay to the parent relay when upstream communication is needed by the child relay.

Managing persistent connections

You can manage the Relays in DMZ persistent connections by configuring a few settings. For details, see Relays in DMZ.