I am having trouble on changing the Bigfix relay for the scenario below
Main BigFix Server (Main Relay)←4 Relay Server (Relay Installed)←Store Server(Relay Installed)←Touch points
Currently all my touch point are pointing to the Store servers and the store servers are pointing to the Main BigFix server. But we want all the store server will point to the 4 Relay server and those 4 relay server will point to the Main BigFix Server.
I tried to change it manually but those store servers are keep pointing to primary/Main Bigfix server.
I followed all the instructions but not able accomplish the task. Any help will be appreciated.
My first check would be that ICMP Ping is working from the store clients to the Relays you want them to select. When using Automatic Relay Selection (with or without Affiliation Groups), the client will only select a Relay that can be pinged.
If the Relay is not pingable, and cannot be changed to be pingable, you'd have to switch to Manual Relay Selection and/or the _BESClient_RelaySelect_FailoverRelayList option to pick relays that are not pingable.
Thank you Jason for your quick response, I just found I can ping from the relay to the store servers but not from store server to the relay. Do you think this can be an issue ? If yes what is the fix for it please?
Yes, that definitely could be the issue. You likely need to allow ICMP / Ping from the store systems to the Relays. That's probably a firewall configuration on your network, but possibly could be a host-based firewall on the Relays themselves.
I checked and found our STS are able to ping using the IP Address but not with the FQDN, currently our relay’s FQDN set as: “XXXX.apps.deca.mil” which is I can see when I’m trying to manually assign the relay. The problem is actual relay server need to be ping as “XXXX.ebs.apps.deca.mil” since I’m not an expert on DNS, not sure how to resolve it. I tried the “__BESClient_NameOverride” on the relay server but no luck. Do you have any suggestions please ?
In that case, you should sync with your network support team to get the FQDN allowed, meanwhile you can simply switch from automatic relay selection to manual as @JasonWalker suggested and change the Relay1 & Relay2 settings with those relay IP address, with that relay should be able to reach their respective relay servers.
Another option you can update the host file of store relays to map the relay FQDN to its ip address, that should also fix the relay discovery, but I would recommend keeping Relay1 & Relay2 configured with their IP addresses until DNS issue is not fully resolved.
I think you might not have the setting name correct. You would use setting
_BESClient_Relay_NameOverride
with a value like XXXX.ebs.apps.deca.mil:52311
applied on the Relay
One potential issue is that clients will not see the updated name in their relays.dat file until after the clients gather a new version of the actionsite - which means they first have to connect using the root server's name. To avoid that first-time gather requirement you could also set _BESClient_RelaySelect_FailoverRelayList on the client at initial installation time with a value including at least one of your DMZ relays, so that at initial install clients could connect to that relay and from there get an updated relays.dat. Or, you could use the Last Fallback Relay option from BESAdmin to apply a last relay globally (this replaces trying the root server in the masthead file).
still it is not showing in the relay list that I can manually assign. As per HCL it is not possible to change since it’s need the masthead to be changed which requires new install. Is there any solutions
Bottom line is the relay need to show up in bigfix as “hostname.ebs.apps.deca.mil” instead of “hostname.apps.deca.mil”, any help will be really appreciated.
It's difficult to see what you're actually setting because the Markdown formatting of the forum maybe replacing some of your underscores, or you could be using the wrong setting name. Please check Tip: Formatting code for the Forum for how to format Code for the Forum and use code formatting for your setting name & value please...
That said, I wanted to make sure that that on the relay you set _BESClient_Relay_NameOverride and the value should be the relay name as you want clients to resolve it. After the setting is applied, the next time that Relay checks in it should update the relays.dat in the actionsite and the new value should be selectable in the Console as a manual relay option - so if the setting is applied correctly it should be available within a few minutes.
For the _BESClient_RelaySelect_FailoverRelayList, that should be set on the clients that are failing to find a relay. The value should be a semicolon-delimited list of relay.domain:port;relay2.domain:port as described at List of settings and detailed descriptions
With the FailoverRelayList applied at a client, the client won't need to gather a new actionsite, won't need to see the updated relay list (with name overrides), and in fact won't even have to manually select the relay -- once automatic or manual relay selection fails, the client will 'fail over' to one of the relays in the FailoverRelayList client setting; each is tried, in the order specified, and only if they all fail to connect does the client then try the root server.
As far as the 'Last Fallback Relay' option, that does not require a reinstall, it requires running the BESAdmin tool on the root server and applying the Advanced Option for 'Last Fallback Relay'. For your case it's probably not necessary, the FailoverRelayList at the client is probably a better option.
I don't see that BESClient_RelaySelect_UseFailoverRelaxList is a valid setting at all, if you found that at some link I'd like to see because I don't think it's correct.