BES Client Download Direct

vikki 2018-02-09 11:46:43 UTC #1

Dear Team,

In our scenario, user keep on moving to my Head Office to Remote offices and sometimes they are connect through internet based relay.

Example

Client1: Location 1 - Relay 1 @10AM
Client1: Location 2 - Relay 2 @12AM
Client1: Location 3 - Internet Relay @3PM

Note: Time is not a constrain, client would be roaming frequently on a daily basis.

If clients working from home and connected to internet relay, Patch update should happen via Direct internet at client, instead of internet relay.
If same client whom is coming to office should take patch update via office relay server.

The above given scenario, Changing of relay between office relay and internet relay BES Client download direct value enable& disable should happen automatically.

Kindly help me in doing the above scenario.

Thanks & Regards
Vicky

masonje 2018-02-09 17:58:01 UTC #2

Are you setting the _BESRelay_Register_Affiliation_AdvertisementList on your relays and subiquit _BESClient_Register_Affiliation_SeekList on your clients? Also, what is your _BESClient_RelaySelect_IntervalSeconds set to? Or do you just have relay select enabled and your clients go where ever they think is closest?

…sort of moot to my next point, but I wanted to know.

I shared a fixlet that could get you close to what you need.
https://bigfix.me/fixlet/details/23802

There are a few other companion fixlets that go with it if you wanted to do relay affiliation based on AD site.
https://bigfix.me/fixlet/details/23805
https://bigfix.me/fixlet/details/23800

You basically need a fixlet that will run a relay select when it sees your network change. In the example fixlet I set the property “_NetSignature”.

JasonWalker 2018-02-09 19:01:38 UTC #3

Sounds like you already have the Relay selection set up correctly and need to control the behavior of _BESClient_Download_Direct, is that correct?

Here’s the default relevance for the “Relay” property:
if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server"

I would combine this with the name of your Internet relay(s). Create a Fixlet that will toggle the Download_Direct client setting based on which Relay is selected. Create a Policy Action targetting All Computers on it, set to “Reapply whenever it becomes relevant again”.

I haven’t tested this at all, so use with care:
Relevance:
not exists setting "_BESClient_Download_Direct" whose (value of it as integer = ( if exists (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server" )) whose (it="Name_Of_My_Internet_Relay") then 1 else 0 ) of client

actionscript:

setting "_BESClient_Download_Direct"="{( if exists (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server" )) whose (it="Name_Of_My_Internet_Relay") then 1 else 0 )}" on "{now}" for client

vikki 2018-02-10 04:56:32 UTC #4

Yes relay selection by BES relay afilication is done already,

Only the BESClient_Download_Direct value auto change based on relay selection is the mandatory for us.

The below code only i need to change a “Name of My Internet Relay” value right?

Relevance:
not exists setting “_BESClient_Download_Direct” whose (value of it as integer = ( if exists (if ((it does not contain “127.0.0.1” and it does not contain “::1”) of name of registration server) then (name of registration server) else if (exists setting “_BESRelay_PostResults_ParentRelayURL” of client and exists value of setting “_BESRelay_PostResults_ParentRelayURL” of client as string) then (preceding text of first “/” of (following text of first “//” of (value of setting “_BESRelay_PostResults_ParentRelayURL” of client))) else “BES Root Server” )) whose (it=“BFX.MYDOMAIN.COM”) then 1 else 0 ) of client

My Relay Details:

Root Server: BF.MyDOMAIN.COM
Relay 1: BFX1.MYDOMAIN.COM
Relay 2: BFX2.MYDOMAIN.COM
Internet relay: BFX.MYDOMAIN.COM

Kindly help me with relevance & action script for placing my relay details in you both scripts.

Thanks & Regards
Vicky

vikki 2018-02-10 06:50:58 UTC #5

Thanks,

Yes we set the BESRelay_Affiliation group on client and relay select interval too.

if any changes need to make on above scenario for better result kindly suggest us.

Regards
Vicky

vikki 2018-02-12 13:02:47 UTC #6

Dear @JasonWalker

I have relevance to find out current relay name but when i evaluate this as a “Local Client Evaluator” then only i received the result like below

Q:if ((it starts with “127.” OR it starts with “::”) of (name of registration server as string)) then (if ((exists setting"_BESRelay_PostResults_ParentRelayURL" of it AND exists value of setting"_BESRelay_PostResults_ParentRelayURL" of it) of client) then “n/a (BES Relay Installed)” else “n/a (BES Server Installed)”) else (name of registration server as string)

A: bigfixrelay.mydomain.com:52311

my query is if i get result as “bigfixrelay.mydomain.com:52311” means consider as a TRUE and if any other values means FALSE like that can you modify the relevance for us

Thanks in advance

Any possibility to run the relevance normally?

Regards
Vicky R

JasonWalker 2018-02-12 15:07:46 UTC #7

You do need to run this in “local client evaluater mode” as you have found, because it depends on properties that are only available in the context of the running client.

masonje 2018-02-13 16:06:12 UTC #8

Sorry I’m late getting back to the party.

Well, I’m not 100% sure on how your seek list is set up (if you change it based on where they are at), but here’s a very basic way to make sure your clients at least do a relay select when they move locations (based on when there IP changes). This works well when they come onto VPN, because they get an additional IP. then they go off, IPs change, New site… you get the idea.

Relevance:
    (
    (not exists setting "_NetSignature" of client 
    OR
    /* check to see if NetSignature matches the current IP addresses */
    value of setting "_NetSignature" of client as string != unique value of concatenations ";" of (it as string) whose(it != "127.0.0.1" and it does not start with "169.") of addresses of ip interfaces of network)
    )

Then for the action script:

// Force client to send update to relay
relay select

// ***************************************************************************
// tattoo the settings with the Network Signature
// ***************************************************************************
setting "_NetSignature"="{unique value of concatenations ";" of (it as string) whose(it != "127.0.0.1" and it does not start with "169.") of addresses of ip interfaces of network as string}" on "{now}" for client

…then set that as a policy action to re-apply when it becomes relevant again.

Again, that’s only based on if you only set the _BESClient_Register_Affiliation_SeekList as static. There are other examples on how you can force this kind of action if other properties (like AD site in my example fixlet above) change.

vikki 2018-02-17 04:41:46 UTC #9

Yup Okay, Now i make small changes in existing settings and i put my DMZ relay as a failover relay, So i want to findout if the client connected to fail over relay then automatically _BESClient_Download_Direct=1 Value need to set and if any other relay/root server the value need to be delete from there.

Like policy action we need to set.

Thanks & Regards
Vicky R

masonje 2018-02-19 14:44:50 UTC #10

Forgive me, but I’m having some trouble understanding exactly what your talking about. Your saying that IF your client is connected to the DMZ relay, you want to set _BESClient_Download_Direct=1 ?

Are you only using BigFix for patch? How would that effect software delivery?

vikki 2018-02-20 05:06:46 UTC #11

Yes, For patches only.

manojthathera 2022-12-30 09:46:01 UTC #12

Hi @masonje,

I am facing this issue in my environment where I have set _BESClient_Download_Direct =1.
It is working fine for patches where Laptops are connected to Internet but it is not working for software distribution.
Any suggestions?

Thanks in advance!

hp3 2022-12-30 11:51:19 UTC #13

Software distribution tasks typically have their binaries uploaded to the BigFix server, so they would not be available when using _BESClient_Download_Direct =1. If you’re using version 10 of the BigFix client, you can control which domains are downloaded directly by the client. Look into these settings:
_BESClient_Download_Direct_Domainlist
_BESClient_Download_DirectRecovery
as mentioned in this article

and as used in this example
https://bigfix.me/fixlet/details/26704