Authenticating relays

BigFix deployments with internet-facing relays that are not configured as authenticating are prone to security threats.

Security threats, in this context, might mean unauthorized access to the relays and any content or actions, and download packages associated with them or to the Relay Diagnostics page that might contain sensitive information (for example, software, vulnerability information, and passwords).

You can configure relays as authenticating to authenticate the agents. This way, only trusted agents can gather site content or post reports. Use an authenticating relay configuration for an internet-facing relays in the DMZ. A relay configured to authenticate agents only performs TLS communication with child agents or relays that present a TLS certificate issued and signed by the server during a key exchange.

When a relay is configured as authenticating, only the BigFix clients in your environment can connect to it and all the communication between them happens through TLS (HTTPS). This configuration also prevents any unauthorized access to the Relay and Server diagnostics page.
Note: If you need to install new clients and you can only reach an authenticating relay, then you must perform a manual key exchange. For details, see Manual key exchange.

How to enable relay authentication

To upgrade the relays to authenticating relays, do the following steps:
  1. On the BES Support website, find the BES Client Settings: Enable Relay authentication fixlet.
  2. Run the fixlet and wait for the action to finish.
You can configure relays for authentication by manually updating the _BESRelay_Comm_Authenticating configuration setting also. The default value of the setting is 0 which indicates that the relay authentication is disabled; to enable the authentication, set the value to 1. For more details, see Authentication.

By default, every client re-registers with its parent relay once every six hours. Existing clients cannot send reports until they re-register themselves with the relay.