Setting internet relays

You can configure your relays to manage clients that are only connected to the Internet without using VPN as if they were within the corporate network.

Using this approach, you can manage computers that are outside the corporate network (at home, in airports, at coffee shops, and so on.) using BigFix to:

  • Report their updated properties and Fixlet status.
  • Enforce new security policies defined by a Console operator.
  • Accept new patch or application deployments.

This configuration is especially useful for managing mobile devices that might often be disconnected from the corporate network. The following picture shows a typical Internet-based relay, as it might exist in a DMZ network:



Setting up an Internet-facing relay enables external clients to find and connect to a relay. In our picture the clients can select the following types of relay:

  • Manual Relay Selection: Clients can be configured using the console to manually select the Internet-facing relay DNS-alias (or IP address) as their primary, secondary, or failover relay. For more details about the failover relay setting see Configuration Settings.
  • Automatic Relay Selection: If ICMP traffic has been allowed from the Internet to a DMZ-based Internet relay, then automatic relay selection can be leveraged to allow clients to find the closest relay as they move from location to location (either within a corporate network or on the Internet). For external clients on the Internet, the only relay they are able to find and connect to is the Internet-facing relay (because ICMP traffic from the Internet would be blocked to the relays within the corporate network).
    Note: You can use the feature relay Affiliation to configure clients to find the most appropriate relay. For more details see Relay Affiliation

This is how the relays, clients, and firewalls are configured in a typical internet-based BigFix relay architecture:

  1. A relay is deployed in a DMZ and the internal DMZ firewall allows only BigFix traffic (HTTP Port 52311) between the DMZ relay and a designated relay within the corporate network. The design above suggests bidirectional traffic as opposed to only allowing the Internet-facing relay to initiate network connections to the relay within the internal corporate network. This enables quicker client response times because immediate notifications of new content are made to the Internet-facing relay thus maintaining a real-time synchronization of content. If the bidirectional communication between the Internet-facing BigFix relay and the relay in the corporate network is not allowed, the Internet-facing relay must be configured to periodically poll its parent (the relay within the corporate network) for new content. For more details about configuring command polling see Configuration Settings .
  2. After relay communication is established between the DMZ and the internal corporate network, the external firewall also has to be opened to allow Internet-based client traffic (HTTP port 52311) to reach the DMZ relay. In addition, allowing ICMP traffic through the external firewall to the Internet-facing relay can aid in the external client auto-relay selection process.
  3. A DNS-alias (or IP address) is assigned to the relay that enables external clients to find the DMZ-based Internet relay. The DNS-alias must be resolvable to a specific IP address.
  4. To make the relay aware of the DNS-alias (or IP address) deploy the BES Relay Setting: Name Override Fixlet to the DMZ-based Internet relay.
  5. With the entire BigFix communication path established from the Internet through the DMZ-based Internet relay and ultimately to the main server, the next step depends on the various relay selection methods available in a given BigFix infrastructure.
  6. Dynamic Policy Settings can be applied to Internet-based clients to allow for configurations better suited to external agents. For example, because the normal notification method (a UDP ping on port 52311) for new content might not reach external clients, dynamic settings can be used to have clients check for new content more frequently than the default period of 24 hours. For more information on setting up command-polling see http://www-01.ibm.com/support/docview.wss?uid=swg21505846 .
Note: Disable the relay diagnostics (http://relayname:port/rd) for Internet relays by setting the client setting _BESRelay_Diagnostics_Enable to zero.
Note: The relay diagnostic page:
  • Works only on loopback if relay authentication is enabled.
  • Can be accessed only from a browser with TLS 1.2 enabled.
To enable relay authentication, set _BESRelay_Comm_Authenticating =1.

For more information about relay diagnostics, see: Relay diagnostics.