Auto Relay server selection

We have 2 sites and each site has 12 relay server and 1 root server in each site. We do have auto relay select option set for each bigfix client. And our network is divided into 3 tiers. When the client cant’ connect to the tier’d relay server then it connects to the root server which i want avoid that. we have close to 900’s server which are latching on the root server. i want them to connect to relevant relay server depend on the tier. Cherry picking each 900 server and change the relay is a painful process. Is there any way that we can tell client to connect to xyz relay server not to root server ( if we can provide the list of relay server depend on the site ).

Hi @bigfixforum,

I’d recommend checking Relay Affiliation to see if it fits what you want to configure in your environment:
https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Installation/c_using_relay_affiliation.html?hl=using%2Crelay%2Caffiliation

You can also set a last fallback relay for your clients so they won’t select the root server:
Windows - https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Config/c_editing_the_masthead.html
Linux - https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Config/c_editing_the_masthead_linux.html

Hope this helps!

2 Likes

we already has the relay affilation setting enable. we need to find if the client can iterate through list of relay server and attached to it instead of connecting to root server.

@bigfixforum, you’ll want to implement the “Last Fallback Relay” configuration via the BESAdmin utility as identified by @anademayo to hide the root BES server from all clients.

As far as finding what the BESClient is doing regarding relay affiliation, you’ll want to enable BESClient debug logging and then review the besclientdebug.log details.

One question, can you confirm that your LAN isn’t blocking ICMP traffic as automatic relay affiliation does rely on ICMP/ping/TTL data in conjunction with the Relays.dat file that’s distributed to all BESClients.

2 Likes

I have relay server/ besclients in T2 , T3 and T1 network.
T1 clients talks to T2 relay , T3 client talks to T3 relay, T2 clients talks to T2 relay. If client can’t reach any of the relay server then it goes to root server.
The below script is running in the client and iterating through each relay, if any one of the relay is able to connect to 52311 from client. Then update the settings.

sed -i -e '/__RelaySelect_Automatic/,+2d' -e '/__RelayServer1/,+2d' -e '/__RelayServer2/,+2d'  /var/opt/BESClient/besclient.config
#sed -i -e '/__RelaySelect_Automatic/,+2d' -e '/__RelayServer1/,+2d'  /var/opt/BESClient/besclient.config

ip=`host $relay |awk ' {print $NF}'`

/etc/init.d/besclient stop

echo "[Software\BigFix\EnterpriseClient\Settings\Client\__RelaySelect_Automatic]" >>  /var/opt/BESClient/besclient.config
echo "value                          = 0" >>  /var/opt/BESClient/besclient.config
echo ""  >>  /var/opt/BESClient/besclient.config
echo "[Software\BigFix\EnterpriseClient\Settings\Client\__RelayServer1]" >>  /var/opt/BESClient/besclient.config
echo "value                          = http://$relay:52311/bfmirror/downloads/" >>  /var/opt/BESClient/besclient.config
echo ""  >>  /var/opt/BESClient/besclient.config

#echo "[Software\BigFix\EnterpriseClient\Settings\Client\__RelayServer2]" >>  /var/opt/BESClient/besclient.config
#echo "value                          = http://$ip:52311/bfmirror/downloads/" >>  /var/opt/BESClient/besclient.config

/etc/init.d/besclient start

The updating the relay setting via script doesnt work. But from the console it works fine.

It’s not advisable to modify the besclient.config via script. The best practice is to update BES settings via BigFix action/content? Please review the client settings fixlets available from @jgstew.

Are you setting AdvertismentList and SeekList on the BESRelays and BESClients respectively?

Really need to know if your network is blocking ICMP at any point on your LAN.

Please see the platform documentation on relay affiliation and @JasonWalker forum post on relay SeekList process.

1 Like

Let me check the "JasonWalker " post.
We do have firewall open between the tiers but some how the client is connecting to the root server Not sure why.
So I have created the action script which iterate through the tiers and check if the client is able to connect the port 52311 and use that relay server.
When I executed the action script it set the relay ( manual relay). And then change to automatic relay then client picked up the new relays by itself. Not sure why client is behaving like that. We have 700 out of 10K client is acting up like that.

You can set the root server to NOT autoselectable which would prevent clients from using it unless it has no other choice.

If you set this, and clients STILL talk to the root server, then that suggests there is something wrong with ICMP for these clients to the relays and you need to use a failover relay or failover relay list setting to handle the case in which ICMP does not work.

The other issue is, once a client auto selects a relay, it is sticky and prefers that relay from that point forward, so once these clients have selected the root server, then they want to keep talking to it from that point forward as long as they can still do it. This is also where setting the root server to NOT autoselectable is useful. See here: bigfix-content/fixlet/clientsettings/Set __BESRelay_Selection_AutoSelectableRelay_ to _0_ on Root Server - Universal.bes at main · jgstew/bigfix-content · GitHub

This seems like a brute force way to force the client to “unstick” itself from it’s current relay selection.

I have proposed that we have an actionscript command in addition to “relay select” that would do the same thing as “relay select” but specifically NOT select the current relay unless that is the only option. This would achieve something very similar automatically.

1 Like

We did this … that seems fixed the relay setting of clients.

if { first 3 of computer name as uppercase = regex ("^CCC|^DDD") }
    parameter "SeekList" = "XYZ;*"
elseif { first 3 of computer name as uppercase = regex ("^AAA|^BBB") }
    parameter "SeekList" = "DEF;*"
else
// If No Match Fail Over To Site
	parameter "SeekList" = "*"
endif

// Set Relay Auto Selection Seeklist
setting "_BESClient_Register_Affiliation_SeekList"="{parameter "SeekList"}" on "{now}" for client

// Set Relay Auto Select
setting "__RelaySelect_Automatic"="1" on "{now}" for client

// Force Client to Auto Select New Relay
relay select