BigFix client does NOT listen on port 52311

Rom265 · May 3, 2024, 10:29pm

This documentation Network configuration requirements
seems to say that both the master/root machine and the end-points (ones with BigFix client installed) communicate on port 52311. But the end-points do NOT listen on that port with UDP or TCP. And, it looks like the service (BESClient) is running as BESClient.exe which is not listening on any port for unsolicited communication. So, can anyone explain this discrepancy?

I see that the BESClient on the end-point does attempt to contact the root on TCP 52311.

JasonWalker · May 3, 2024, 10:31pm

By default the BESClient does not listen on TCP, but it does listen on UDP for notifications from its parent relay.

Usually the client will connect to the parent relay/root using 52311/tcp; when a new site update is available or a new action is taken, the parent root/relays will send a message downstream on 52311/udp.

Rom265 · May 3, 2024, 10:38pm

So, does the client start listening on udp 52311 only after establishing communication or something? As I said, at the moment, the client is listening on nothing. I think it has never succeeded in contacting the root, though, due to a routing issue.

JasonWalker · May 3, 2024, 10:40pm

I’m not really sure when it starts the listener. During normal operation though it’s pretty clear

C:\>netstat -ano |find "52311"
  UDP    0.0.0.0:52311          *:*                                    7864
  UDP    [::]:52311             *:*                                    7864

edit: snipped out my Console connections on TCP/52311

atlauren · May 3, 2024, 11:08pm

By default the client listens on 52311/udp.

BUT the host firewall may prevent that. (IIRC the client installer adds it to the firewall, but GPs may defeat it.)

At a minimum, the client must be able to reach the root (or a relay) on 52311/tcp.

If using relay selection, the client must also able to ping (ICMP ECHO) to the root/relay, and receive a reply.

For promptness of service, it helps a great deal if the root/relay infrastructure can also reach the endpoint on 52311/udp.

evilpenguin · October 7, 2024, 2:54pm

This conversation is a little old, but I would comment that depending on how you are checking, the agent may not appear to be listening on the port. For example, if you an nmap scan to check and you use any scan method that depends on TCP (like a SYN scan or a TCP connect scan), it will not appear to be listening. Remember that UDP is connectionless, “best-effort” datagram protocol. It won’t show up like a TCP listener. If you are using nmap, be aware that there is an option to do a UDP scan. Try that. As others here have shown, netstat clearly shows a UDP listener. If you look at a client log, you will see that opening the listener happens quite early in the agent startup.

You can disable UDP listening, but then you must either wait for the masthead gather interval to get new actions, properties, fixlets, etc. or you must enable command polling (which increases network traffic).

JasonWalker · October 7, 2024, 3:13pm

The BES Client does not respond to any messages it receives on UDP/52311; nmap will not detect the udp port even if you scan for it specifically.