My customer’s BigFix deployment consists of 3/4 internal endpoints and 1/4 of the endpoints behind firewalls. They would like to enable automatic relay selection automatically when new endpoints are added to BigFix. However, they can’t arbitrarily enable this setting for every endpoint because the endpoints behind a firewall all need to point to a particular relay that they can see, and that relay is decided at first use using besclient.config / clientsettings.cfg. Forcing the automatic relay selection setting to 1 would probably break connectivity for the external endpoints, and even if it didn’t, if the external endpoints must communicate through specific relays, why create additional unnecessary ICMP traffic.
How should this customer automate this setting so it is set for only the internal endpoints? One thing I thought of was to create a copy of the “Enable Automatic Relay Selection” fixlet and write a relevance expression that would perform this one-time action only “if this client’s parent relay is not DMZ Relay X (and DMZ Relay Y and DMZ Relay Z, etc) and the enable automatic relay selection setting is 0” … assuming I can check a client’s parent relay in a relevance expression, of course.
The number of external relays is small.
What would your recommendation be to automate this setting for only the internal endpoints?
But relay affiliation doesn’t work with manual relay selection, as designed. I don’t want the action to run at all on the external clients, which are configured to come up pointing to a specific relay (because that’s the only one they see).
If you want the clients pointed at a specific relay, you would set the affiliation on the relay the be the same as the clients and make this relay the only one in their seek list. They should not seek out any other relays if they can’t reach their primary relay.
We use a combination of manual relay selection and automatic relay selection with relay affiliation in our environment. It sounds very similar to what you are wanting to do. We maintain a fixlet that sets the value of the _BESClient_Register_Affiliation_SeekList based on its subnet and sets relay selection to automatic. When taking action on this fixlet we target only devices that are not behind the firewall. If you have a method of uniquely identifying these devices (e.g. domain, naming convention or subnet) you can target only the devices you want to use automatic relay selection with relay affiliation and leave the other devices as manual relay selection
@zpt8mjs, yes, this is pretty much what I want to do. It looks like I’d have to write a fixlet that enables automatic relay selection for devices that are not behind a firewall, and I’d have to come up with some way of identifying “devices not behind a firewall”. Thank you. --Mark
Hi @jgstew, you are correct of course. But if there’s only one local relay that the firewall clients connect to, and it will be that way for a while, why have automatic relay selection at all? Wouldn’t manual relay selection be “better” to cut down on unneeded ICMP traffic?
If you use relay affiliation groups then the clients doing automatic relay selection on that group that only contains that local relay would only be pinging that relay and not all relays.
If you use manual relay selection in those cases, it should work out okay as long as the failover relays are set so it doesn’t get stuck. It can just be a pain to manage manual relay selection well, particularly for many sites.
Typically you manage automatic relay selection affiliation groups like this:
The local relays on the edge networks behind firewalls advertise a relay affiliation group for that site. Lets say you had a single office in Paris France, then maybe it would just advertise Paris as it’s affiliation group or it would advertise Paris;* as it’s affiliation group.
Meanwhile, the clients that are typically in that office would use relay affiliation something like this: Paris;ParentSite;DMZ;Failover;*
This tells the client, try all relays that advertise the Paris affiliation group first. Then try all of the relays in the ParentSite of the Paris office. ( for instance, if the WAN link to the Paris office actually goes through another office nearby first ) Then the client will try the DMZ relays since it can’t find a local relay it should use. Once this fails, then it should try the Failover set of relays. If all else fails, then it will try * which means, just have at it and do whatever you can… basically try all relays that do not advertise any affiliation group, as well as all of those that advertise *. Once all of these options fail, it will then go to it’s defined failover relays. Once that fails, it will try the ROOT directly.
DMZ relays should advertise Location;DMZ;*
Failover relays should advertise Location;Failover;*
Potentially DMZ and Failover relays could advertise: Location;DMZ;Failover;* if you don’t see a need to distinguish them, which there technically isn’t.
If you don’t want the ROOT to be selected during automatic relay selection, which you generally don’t, it should advertise ROOT and not advertise *. Then no clients should select for ROOT so they won’t pick it up.