Best practices to consider when defining a proxy connection

Consider the following tips and tricks to avoid common problems:
  • After you set the communication through the proxy on a Windows server, use the BigFix Diagnostic tools to verify that the server can successfully reach the Internet.
  • Check the GatherDB.log file that is in the BES Server\GatherDBData folder to verify that the server can gather data from the Internet.
  • Check in the firewall rules if any file types are blocked. In this case, if the content to gather from a site contains at least one file with this file type, then the entire content of that site is not gathered.
  • Ensure that the password specified in ProxyPass on the server, or in _Enterprise Server_ClientRegister_ProxyPass on the client or relay did not expire.
  • Make sure that the proxy allows the downloading of arbitrary files from the Internet (for example, it does not block .exe downloads or does not block files with unknown extensions).
  • Most of the files in BigFix are downloaded from bigfix.com or microsoft.com using HTTP port 80. However, it is recommended that you allow the proxy service to download from any location using HTTP, HTTPS, or FTP because some downloads might use these protocols.
  • Make sure that the proxy is bypassed for internal network and component-to-component communications because it might cause problems with how the BigFix server works and is inefficient for the proxy. Use the ProxyExceptionList setting, if needed, to exclude local systems from the communication through the proxy.
  • The setting ProxyExceptionList was introduced in BigFix version 9.0.835.0 for Windows and Linux systems. If you are using BigFix version 9.0 and you have problems using content that downloads files from the local server, upgrade to BigFix version 9.0.835.0 or later.
  • On the BigFix server installed on a Linux system, at runtime the client configuration file is read before the server configuration file. Ensure that you update common settings on both components to avoid conflicts.
  • By default the HTTP and HTTPS connections time out after 10 seconds, DNS resolution time included. When this happens the HTTP 28 error is logged. In your environment, if the proxy server or the DNS server takes a longer time to establish the TCP connection, you can increase the number of seconds before the connection times out by editing the setting _HTTPRequestSender_Connect_TimeoutSecond. The _HTTPRequestSender_Connect_TimeoutSecond setting affects all the BigFix components, including the Console and the Client, running on the machine for which this setting is set. No other BigFix component running on other machines in the deployment is affected by the setting. As a best practice, be careful when increasing the value of this setting and try to keep it as low as possible to avoid opening too many sockets concurrently risking socket exhaustion and eventual loss of service.
For more information about proxy configuration, see https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/Proxy%20Server%20Settings.