I am trying to better understand the usage of the x-bes-fallback-server masthead setting. The HCL BigFix documentation is as follows:
Last fallback Relay for all clients (replacing Root Server):
You might need to define a fallback relay for your clients when they do not connect to any relay specified in their settings. Select this check box and specify the fallback relay of your environment in one of the following formats:
- Hostname. For example, myhostname.
- Fully qualified domain name (FQDN). For example, myhostname.mydomain.com.
- IP address. For example, 10.10.10.10.
If you do not select this check box and define a fallback relay, the root server of your environment is used.
Note: Before specifying a fallback relay, ensure that any client or relay reporting directly to the root server has the root server defined as a relay. This setting will not prevent endpoints from selecting the root server. Set _BESRelay_Register_Affiliation_AdvertisementList on the BES Root Server to a group name that will not be set on any clients, such as DoNotSelectMe.
This leaves me with lots of questions…
Our current masthead contains a valid x-bes-fallback-server defined, but is that all that’s necessary? The documentation above states that “This setting will not prevent endpoints from selecting the root server.” If this is not done, is there any point to the setting? Is the Root server still considered a valid relay unless it is added to an Affiliation AdvertisementList? What about if the server’s port 52311 was block to all but Relay servers?
If a new client installation has a masthead with x-bes-fallback-server defined, what exactly happens? If the Fallback Server is an authenticating relay, will a brand new client still be able to connect to the Root Server to get the necessary singing keys?
How is this setting best used? The documentation leave a lot to be figured out, IMHO… (or, is there better documentation on the setting? A wiki article or blog post? My Google-fu may have been weak today…)