BigFix Client in AWS Workspace Image

jriv · January 27, 2021, 3:33am

I’m attempting to create a custom Windows image for AWS Workspace with the BigFix Client bundled in. However, the client is unable to register with my authenticating relay once I remove the ComputerID, RegCount and ReportSequenceNumber.
I tried step #3 from https://help.hcltechsw.com/bigfix/9.5/inventory/Inventory/probdet/t_preserving_bundling_when_BigFix_Client_is_reinstalled.html - edit registry values then delete __BESData and Keystorage directories. I also tried
https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Installation/c_for_windows.html - only edit registry values but not delete the 2 directories. Both methods result in the same error:

   RegisterOnce: Attempting secure registration with 'https://nnnnnn:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.1.41&Body=0&SequenceNumber=2&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://xxxxxxxx%3a52311&AdapterInfo=.....
Response: <!DOCTYPE html><html><head><title>Error</title></head><body><h1>403 -- Forbidden</h1></body></html>
RegisterOnce: GetURL failed - HTTP 403 Error (Forbidden) - 'http://nnnnnn:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.1.41&Body=0&SequenceNumber=2&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://xxxxxxxx%3a52311&AdapterInfo=.....' http failure code 403 - registration url - http://nnnnnn:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.1.41&Body=0&SequenceNumber=2&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://xxxxxxxx%3a52311&AdapterInfo=.....

What am I doing wrong?

aginestr · January 27, 2021, 6:24am

A BigFix Client without a certificate cannot register to an authenticating relay, the Manual Key Exchange procedure must be applied in such a case.

AlanM · January 28, 2021, 4:37pm

There is a way to “automate” this with at least the 10.0 clients and above but you have to be willing to embed a password and a few settings into your image to allow this. Or to allow the root server to be open and reachable (which may not be an option)

jriv · January 28, 2021, 4:39pm

@AlanM Exposing the root won’t be an option but I’m curious about embedding it in the image. We are on v10. Could you share more?

AlanM · January 28, 2021, 4:46pm

Its some settings but can be difficult to explain. I suggest contacting support so they can tell you how to do this with predefined settings

jriv · January 28, 2021, 5:03pm

@AlanM Thanks. I did open up a case and the person helping might not be aware of your solution involves. They said that manual key exchange is required here. Any clues I can give them to point them in the right direction?

AlanM · January 28, 2021, 5:41pm

Have them contact me internally and I’ll get them some info which they can translate to your specifics

aginestr · January 29, 2021, 5:58am

I guess the setting that Alan is referring to is _BESClient_SecureRegistration and it’s mentioned in the Manual Key Exchange doc page I referred to in my first reply.

jriv · February 1, 2021, 3:41pm

@AlanM Thanks. I was able to resolve this with HCL Support with your help.

@aginestr This is the key. I had that client setting in the registry but it still wasn’t working. The trick was to make sure that the password was in clear text prior to creating the master image. Once the client successfully registers, it becomes obfuscated.

The tier 2 engineer said that they will update the documentation to add that last step.

aginestr · February 1, 2021, 6:31pm

@jriv Thank you for the update.