Hi All,
We have installed BigFix Relay in our DMZ. On BigFix clients in internet we set the relay failover setting to port 443 because default port 52311 is not allowed. Now we are trying to configure communication from big fix client in internet trough reverse proxy. Is this possible and if so please let me know how?
Kind regards!
Anything is possible given enough time, energy or effort… but don’t do this.
It is best to have your network admin allow for communication over 52311 TCP to that one DMZ server. And then to have communication from your DMZ server to the BigFix server over 52311 TCP.
2 pretty easy firewall rules that many network professionals I have met have been happy to write.
-jgo
I also would like to use preferred port but the policy of the customer allow just port 443 so we cannot do nothing in that case.
We already setup the environment but the clients are not registered in BigFix server. We are getting the following error messages in log files but if we paste the command from log file to the browser we are getting the answer. Any idea?
RegisterOnce: Attempting secure registration with ‘https://xxx.xxx.xxx:443/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=9.5.4.38&Body=14031744&SequenceNumber=41&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://yyy.yyy.yyy%3A52311&AdapterInfo=00-0c-29-83-3e-ee_192.168.1.0%2F24_192.168.1.13_0’
_ Unrestricted mode_
_ Configuring listener without wake-on-lan_
_ Registered with url ‘https://xxx.xxx.xxx:443/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=9.5.4.38&Body=14031744&SequenceNumber=41&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://yyy.yyy.yyy%3A52311&AdapterInfo=00-0c-29-83-3e-ee_192.168.1.0%2F24_192.168.1.13_0’_
_ Registration Server version 9.5.4.38 , Relay version 9.5.4.38_
_ Relay does not require authentication._
_ Client has an AuthenticationCertificate_
_ Relay selected: xxx.xxx.xxx. at: 10.10.10.10:443 on: IPV4 (Using setting IPV4ThenIPV6)_
At 23:44:37 +0200 - _
_ PollForCommands: Requesting commands
_ PollForCommands: GetURL failed_
_ Entering service loop_
_ FAILED to Synchronize - General transport failure. - ‘http://xxx.xxx.xxx:443/cgi-bin/bfenterprise/BESGatherMirror.exe?url=http://yyy.yyy.yyy:52311/cgi-bin/bfgather.exe/actionsite&Time=29Mar23:44:37&rand=25251b6c&ManyVersionSha1=da39a3ee5e6b4b0d3255bfef95601890afd80709’ http failure code 400 - gather url - http://xxx.xxx.xxx:443/cgi-bin/bfenterprise/BESGatherMirror.exe?url=http://yyy.yyy.yyy:52311/cgi-bin/bfgather.exe/actionsite&Time=29Mar23:44:37&rand=25251b6c&ManyVersionSha1=da39a3ee5e6b4b0d3255bfef95601890afd80709_
The relay will listen on the port that you set up in the infrastructure probably 52311 and the client is tryingto post to 52311 which is suppressed at the network level (I am guessing).
So… the one thing you could do… which is not supported is port forwarding. Forward 443 to 52311. Is that possible?
-jgo
But if we set on client _BESClient_RelaySelect_FailoverRelay setting to http://xxx.xxx.xxx:443/bfmirror/downloads than client will try to register trough port 443?
Check your Masthead file. It will specify the port that your system is configured to use.
I do not believe you can change that port after the masthead file is created. The Relays and Clients will listen on THAT port.
I would recommend your customer configure a Firewall rule to allow traffic on TCP/52311 to just your Relays IP.
yes the client will try to communicate through port 443. But no one will be listening on that port…
client talking on 443 AND relay listening on 52311 = Ill Communication.
So 52311 to that relay is really the only sane thing to as @TimRice says.
-jgo
Based on this, it appears that the Client is in fact registering through the Relay (note the ‘Registered with url’ line), but that it is not able to gather the actionsite. Is the Relay in question properly synchronizing with sites? What does the Gather Status report show (accessible via the Relay Diagnostics page)?
This config should work if port 443 is forwarded to 52311 or somehow the relay is set to use 443 or if the connection is proxied from 443 at the configured URL to 52311 on the actual relay. It seems like this would only work if enhanced security is off.
I keep meaning to try a failover relay configured to port 443 but I haven’t done so myself.
Just to be clear, you don’t need port 52311 open on the clients, only that the relay be able to accept incoming connections over 52311 over the DMZ.