Adding relays and, talking to them from behind a firewall

Hi Folks,

I have a BF environment with a number of relays. I am now trying to extend it to the DMZ. I have a host in the DMZ designated to be a relay. It can talk to an internal relay on 52311. I have push the client software and entered the internal relay into the besclient.config file. However when the client starts up it fails to connect and logs the error:

RegisterOnce: Attempting secure registration with 'https://BFServer:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=^fe80%3A%3A250%3A56ff%3Afebd%3A4a9f%2F64_0
At 11:26:53 +0200 -
RegisterOnce: GetURL failed - General transport failure. - BAD SERVERNAME (winsock error 4294967290 - registration url - http://BFServer:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=^fe80%3A%3A250%3A56ff%3Afebd%3A4a9f%2F64_0

Now That makes some sense, as it can not talk to the server, and should only communicate through its upstream relay.

How do I tell it to use the upstream relay only and stop trying to bother the main server?


You need to set the client to manual relay selection. By adding or modifying the following line in the client config.

value = 0

Hi Matt,

Thanks for the reply. I checked and Automatic Relay selection is off on the .config

value = relay1129
effective date = Wed,%2017%20Aug%202016%2018:19:33%20+0200

value = relayl1130
effective date = Wed,%2017%20Aug%202016%2018:19:33%20+0200

value = 0

I even added the key
value = 0

just in case, but I still see the same errors in log. It it trying to talk to the BES server, not limiting itself to the relays it is meant to.

Probably forum formatting thing, but do you have “” after Client as in
And, if possible, I’d suggest “Fake Root” approach, which arranges your DNS related entries so that client outside of your network resolves BigFix Server name to one of your DMZ relays.

Hi Akira,

The ‘fake root’ DNS trick looks like it may be the one. the client is connected in, and I pushed out a recent relay to it. Now I need to try using the relay, and see if it works as desired.


Do you allow ICMP ping to these relays? The client will not select the relay (Automatic or Manual) if ICMP pings don’t go through. It assumes the relay is offline and eventually fails over to the root server (which it will try even if ICMP doesn’t respond).

Check!/wiki/Tivoli%20Endpoint%20Manager/page/Configuration%20Settings and look for ‘_BESClient_RelaySelect_FailoverRelay’ or ‘_BESClient_RelaySelect_FailoverRelayList’ to have the client try other relays besides the root server if ICMP messages aren’t allowed (from client to Relay).