Adding relays and, talking to them from behind a firewall

RandomWalk · April 3, 2017, 11:57am

Hi Folks,

I have a BF environment with a number of relays. I am now trying to extend it to the DMZ. I have a host in the DMZ designated to be a relay. It can talk to an internal relay on 52311. I have push the client software and entered the internal relay into the besclient.config file. However when the client starts up it fails to connect and logs the error:

RegisterOnce: Attempting secure registration with 'https://BFServer:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=9.5.2.56&Body=13428310&SequenceNumber=5560&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://BFServer%3A52311&AdapterInfo=00-50-56-bd-4a-9f_212.181.103.0%2F25_212.181.103.26_0&AdapterIpv6=00-50-56-bd-4a-9f^fe80%3A%3A250%3A56ff%3Afebd%3A4a9f%2F64_0’
At 11:26:53 +0200 -
RegisterOnce: GetURL failed - General transport failure. - BAD SERVERNAME (winsock error 4294967290 - registration url - http://BFServer:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=9.5.2.56&Body=13428310&SequenceNumber=5560&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://BFServer%3A52311&AdapterInfo=00-50-56-bd-4a-9f_212.181.103.0%2F25_212.181.103.26_0&AdapterIpv6=00-50-56-bd-4a-9f^fe80%3A%3A250%3A56ff%3Afebd%3A4a9f%2F64_0

Now That makes some sense, as it can not talk to the server, and should only communicate through its upstream relay.

How do I tell it to use the upstream relay only and stop trying to bother the main server?

Thanks,
R.

MattPeterson · April 3, 2017, 2:18pm

You need to set the client to manual relay selection. By adding or modifying the following line in the client config.

[Software\BigFix\EnterpriseClient\Settings\Client__RelaySelect_Automatic]
value = 0

RandomWalk · April 4, 2017, 7:23am

Hi Matt,

Thanks for the reply. I checked and Automatic Relay selection is off on the .config

[Software\BigFix\EnterpriseClient\Settings\Client__RelayServer1]
value = relay1129
effective date = Wed,%2017%20Aug%202016%2018:19:33%20+0200

[Software\BigFix\EnterpriseClient\Settings\Client__RelayServer2]
value = relayl1130
effective date = Wed,%2017%20Aug%202016%2018:19:33%20+0200

[Software\BigFix\EnterpriseClient\Settings\Client__RelaySelect_Automatic]
value = 0

I even added the key
[Software\BigFix\EnterpriseClient\Settings\Client_RelaySelectAutomatic]
value = 0

just in case, but I still see the same errors in log. It it trying to talk to the BES server, not limiting itself to the relays it is meant to.

akira · April 4, 2017, 12:18pm

Probably forum formatting thing, but do you have “” after Client as in http://www-01.ibm.com/support/docview.wss?uid=swg21578286?
And, if possible, I’d suggest “Fake Root” approach, which arranges your DNS related entries so that client outside of your network resolves BigFix Server name to one of your DMZ relays.

RandomWalk · April 4, 2017, 1:40pm

Hi Akira,

The ‘fake root’ DNS trick looks like it may be the one. the client is connected in, and I pushed out a recent relay to it. Now I need to try using the relay, and see if it works as desired.

Thanks.
R.

JasonWalker · April 4, 2017, 6:21pm

Do you allow ICMP ping to these relays? The client will not select the relay (Automatic or Manual) if ICMP pings don’t go through. It assumes the relay is offline and eventually fails over to the root server (which it will try even if ICMP doesn’t respond).

Check https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Configuration%20Settings and look for ‘_BESClient_RelaySelect_FailoverRelay’ or ‘_BESClient_RelaySelect_FailoverRelayList’ to have the client try other relays besides the root server if ICMP messages aren’t allowed (from client to Relay).