BES Relay Affiliation

(imported topic written by arnaud91)

Hi,

I need some clarifications about this feature : BES Relay Affiliation.

I read this presentation : http://support.bigfix.com/bes/install/besrelayaffiliation.html

I didn’t see any task on the BES Console referring to this feature. If i directly create the _BESClient_Register_Affiliation_SeekList BES Client setting in the registry, will it automatically modify the agent behaviour, or should i restart the BES Client service ?

What happens if i install BES Relay software on a computer having BES Client assigned to a specific relay group ? How will it select its parent relay ?

Also, what happens if a new relay is added to a group ? Are all the agent using this group automatically informed of this new relay in the group ?

Regards,

Arnaud.

(imported comment written by SystemAdmin)

Hey Arnaud,

I’ll try to answer your questions here.

arnaud

I didn’t see any task on the BES Console referring to this feature. If i directly create the _BESClient_Register_Affiliation_SeekList BES Client setting in the registry, will it automatically modify the agent behaviour, or should i restart the BES Client service ?

It will automatically modify the agent behavior when you set the BES Client setting, you do not need to restart the agent. Basically, the agent notices when you run an action that affects its settings and will run relay autoselection afterwards. There is no task at this time and you would need to create this setting through the edit computer settings dialog.

arnaud

What happens if i install BES Relay software on a computer having BES Client assigned to a specific relay group ? How will it select its parent relay ?

This is discussed on the website you linked in the ‘BES Relay Behavior’ section but basically once you install the BES Relay the BES Client no longer functions as it normally does. The BES Client recognizes that the BES Relay is installed and doesn’t use automatic selection at all, it uses manual relay selection. Also note that you do need to assign the BES Relay to an affiliate group so that other BES Clients will know to use it but the BES Client on the BES Relay just reports locally and the BES Relay goes upstream based on the manual relay selection.

arnaud

Also, what happens if a new relay is added to a group ? Are all the agent using this group automatically informed of this new relay in the group ?

Yes, the information is automatically sent to BES Clients. The new BES Relay and its affiliation is added into a file called Relays.dat that is distributed through the actionsite automatically anytime you propagate as a master console operator. Basically, after you create the relay and assign it to an affiliation group that information will automatically be sent to all clients the NEXT time you propagate any action. The BES Clients will use the new information the next time they run automatic relay selection on their normal selection interval (they won’t re-run it just because the Relays.dat file gets updated but they will use the information the next time the run autoselection). If you want to test if you set things up correctly there is a task in the BES Support site to force clients to immediately run autoselection that you can use.

(imported comment written by arnaud91)

Hi Tyler,

Thanks for your detailed answers.

Few more questions : We want to set the _BESClient_Register_Affiliation_SeekList parameter at the BES agent installation (we use NSIS to install BES agent). Is it ok if i create the registry key _BESClient_Register_Affiliation_SeekList in the right place with the good value at the BES Agent installation ? Or do we need to modify this setting through the BES Console ? (we already specifiy the Relay1, Relay2 and Failover through registry keys at the agent installation, and it works well)

To be sure : if the _BESClient_Register_Affiliation_SeekList parameter is set, the agent will run automatic relay selection, without having to specify it do do so ?

(imported comment written by SystemAdmin)

Yes, it is appropriate to manually set the _BESClient_Register_Affiliation_SeekList value during installation of the BES Client. The BES Client will use the value of this key (set through any method) whenever it run auto-selection.

Setting this value manually doesn’t force the BES Client to run auto-selection, only running an action which sets it causes the BES Client to run auto-selection immediately. To avoid confusion, the BES Client only run auto-selection if its configured to do so through the BES Console (which sets the __RelaySelect_Automatic setting) and simply setting the Affiliation_SeekList does not cause the client to run auto-selection if its configured for manual relay selection.

If you want all clients to run auto-selection after installation you should issue a policy action that enables auto-selection.

(imported comment written by arnaud91)

If i set the registry key __RelaySelect_Automatic during installation of the agent as the _BESClient_Register_Affiliation_SeekList regsitry key, would it work too(relay autoselection with restricted list of relays) and avoid me having to enable Relay auto selection through a policy action ?

Behaviour i would expect :

  1. Agent installation with _BESClient_Register_Affiliation_SeekList and __RelaySelect_Automatic registry keys set and during installation.

  2. Agent first uses the RelayServer1 value (set through clientsettings.cfg file) to connect the BES Server.

  3. Agent retrieves list of BES Relays it can use from BES Server.

  4. Agent runs relay auto selection to select best relay in the list.

Would it work like that ?

I have a last question about general relay behaviour : When you deploy a task (fixlet, baseline, …) through the BES Console, BES Server tries to inform BES agents of this new action. Does it send the UDP packet directly to the BES Agent, or is the information packet sent through the Relay hierarchy to the Agent ? It is very important for us, because, as we are MSSP, we mutualized the BES Server for multiple customers, so the BES Server can connect directly BES Agents, we need it to go through the Relay hierarchy. If not, the service won’t be dynamic (have to wait the Agent to connect the BES Server to run the action).

I ask all these questions because we are MSSP, and we want to automate as much as we can, in order to facilitate BES deployment for our customers.

(imported comment written by SystemAdmin)

More good questions Arnaud :slight_smile:

I’m not sure it would work to set the __RelaySelect_Automatic key during the install. The BES Client might not use your RelayServer1 setting since that value isn’t used in the auto-selection process and it might just run auto-selection only knowing about the main BES Server. I would need to test it to be sure.

This is the behavior you get using a policy action:

  1. Agent installed with _BESClient_Register_Affiliation_SeekList and RelayServer1 for connection point.

  2. Agent starts up configured for manual relay selection, attempts to connect to the RelayServer1 configuration and downloads Relays list and policy action.

  3. Policy action sets the BES Client to run auto-selection, the agent uses the SeekList and the recently downloaded Relays.dat list to find the appropriate relay.

The other benefits of using a policy action:

  1. You’ll catch BES Clients using manual relay selection outside of installation time.

  2. The policy action will enforce the setting and ensure clients stay in auto selection mode.

  3. It will be easier to change your policy through BES later if you need to then changing the install source.

The UDP packet is sent through the BES Relay hierarchy to the agents but even with this feature you are still likely to see lots of cases in the MSSP model where UDP won’t get to the agents. Users may have a personal firewall blocking the BES port, there may be local firewalls blocking it, the packet could get lost, ect… For MSSP we usually recommend increasing the BES Client polling interval to help. By default, the BES Client only goes upstream to get data once a day unless it gets a UDP telling it to do so immediately. If you increase the polling interval to 4 hours say, you’ll get much better response rates from the BES Clients even in the cases where UDP is blocked.

(imported comment written by jessewk)

Hi Arnaud,

I agree with Tyler that a policy action is important. However, you may still want to try and provide a list of the available relays at deployment time. According to this post, it looks like it’s possible to supply an initial set of relays by including your relays.dat file in your custom installation script.

http://forum.bigfix.com/viewtopic.php?id=1505

(imported comment written by peterd91)

To make it even more complicated, let me clarify that we disable automatic relay selection on our deployment (to avoid mssp customer segregation issues). Will any of the below Advanced Options that we use affect the BES Relay Affiliation and the original question Arnaud posted?

disableComputerNameTargeting

disableGlobalRelayVisibility

disableNmoComments

disableNmoManualGroups

disableNmoRelaySelModeChanges

disableNmoSiteManagementDialog

Thanks,

Peter

(imported comment written by SystemAdmin)

Hi Peterd,

BES Relay affiliation only applies to the automatic relay selection process. The manual relay selection process is unaffected even if computers are put into BES Relay affiliation groups.

Tyler

(imported comment written by arnaud91)

Hi,

I have a little question about the BES Settings :

_BESClient_Register_Affiliation_SeekList

and

_BESRelay_Register_Affiliation_AdvertisementList

Should they both be located under HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client ?

I ask this because we want to create them at installation time, even if we don’t use them now.

(imported comment written by SystemAdmin)

Yes, that is the correct location.

FYI:

http://support.bigfix.com/cgi-bin/kbdirect.pl?id=454