Is it possible to set two relays with the same _BESClient_Relay_NameOverride value?
Currently we have four internet facing relays. Two on the east coast and two on the west coast. Each one has their own internet facing IP.
We are building a new instance of BigFix and again, will need four internet facing relays to handle the traffic. However, our security team wants to put the two on the east coast behind a single IP, passing through a NetScaler, and the NetScaler will load balance. Same for the west coast.
Can both relays at each location have the _BESClient_Relay_NameOverride setting set to the NetScaler IP?
Yes, you can set _BESClient_Relay_NameOverride to the NetScaler VIP IP and have both relays behind that IP. The load balancer will handle distributing traffic to the backend relays.
Be sure the NetScalers are set for a "sticky" algorithm, such that a given client will always reconnect to the same relay behind the balancer.
We don't officially support relays behind a balancer, and your mileage may vary, but the most important part is that the client not keep bouncing between the two relays.
Traditionally, once the client had authenticated to the relay, it receives a session token that is reused for future connections - but is only valid on one relay. The other relay may give 403:Forbidden responses once the client registers on one.
Since the client traditionally opens a new TCP connect for each gather, post, or file download, they are often broken by load-balancing based on TCP session rather than IP Address; I haven't had the opportunity to check whether Persistent Connections help in that regard.
Honestly, I didn't think of putting the internet facing relays behind a load balancer VIP, I might have to look at that. We have two public facing relays and can never seem to get traffic balanced between the two. They always prefer one over the other regardless of the fact they are the same number of hops away.
Bigfix Has settings like _Enterprise Server_ClientRegister_MaxChildCount that you can set on relays so that once it reaches this limit then devices will flip over to the next relay in its hierarchy.
As jason said, relays behind a Load balancer must be stickied to every look like working and isn’t officially supported.