Hello. I am new BigFix admin. I need to assign clients to relays. They need to be in the same domain and have maximum 1000 hosts to each relay. Any fixlet/task/config how to apply it? I would appreaciate any help. Thanks!
1 Like
Relay selection methods are MANUAL or AUTOMATIC.
If you use Manual, you manage which clients report to each Relay. You can specify a Primary and Secondary Relay for each computer.
If you use Automatic Relay Selection, you can have each Relay advertise one or more “Affiliation Groups” and can associate endpoints with these Groups. Your clients will automatically choose the “closest” Relay based on ICMP Hop Counts. There are Relay settings that will prevent a Relay from accepting more than a designated number of clients. If you go the route of restricting Relays to 1000 clients, you need to make sure you more than enough Relays online at all times.
2 Likes
Hi. Is there any possibility to manipulate the ICMP flooding of the environment? If lets say, we have 20 000 hosts per production site with 1 BigFix Server and 20 relays it may influence the network. Thanks!
Yes, there are way to limit the ICMP traffic generated by clients as they look for a Relay. I encourage everyone to review the list of Configuration Settings that IBM has published.
Specifically, I believe you might be interested in …
-
_BESClient_RelaySelect_IntervalSeconds- Limit how often the client look for a different Relay. -
_BESClient_RelaySelect_MaximumTTLToPing- Limit how many ICMP Hop Counts the client will consider for it’s Relay. You can use the “Deployment Overview” in the “BigFix Management” Domain to see an overview of the Hop Counts that your clients are reporting to their Relays. -
_BESClient_RelaySelect_PingDelayMicroSeconds- How long to wait between PING attempts. -
_BESClient_RelaySelect_ResistFailureIntervalSeconds- How sensitive to the current Relay not replying. Applies to when the client starts to look for a new Relay. -
_BESClient_Register_Affiliation_SeekList- Which Relay Affiliation Groups will the client try to connect with.
If you are using Automatic Relay Selection and have a large or complex network you might consider reading about “Relay Affiliation”.
2 Likes
Hi,
everything looks great 
I also found _Enterprise Server_ClientRegister_MaxChildCount to limit clients within relay. One last question. Do You now how to write fixlet which will assing clients to relay within the same domain (like after “.”)? Or should it be done manually? Thanks again!
I would use the Relay Affiliation Groups to control this.
You can create a Fixlet that sets the setting appropriately based on your Domains. If you need to see what a Fixlet Action command would look like, try using the “Edit Computer Setting” to set a setting on a computer, then take a look at the Action that is generated to accomplish it. Copy the Action command and replace the “date/time” element with something like “{now}” which is the Relevance for the “current date/time” in the format needed by the SETTING command. I recommend this to all my Console Operators that want to learn how to write Custom Content. Just about everything that impacts the clients in BigFix is done as an Action, and it’s all visible to you in the Console. Get a copy of the QnA tool to help you learn and test Relevance clauses. Again, you can scavenge a LOT of good Relevance from the Fixlets/Tasks that IBM provides to you. Also look at the Relevance that is used for the “Retrieved Properties”. You can easily see this under the “Manage Properties” dialog available under the Tools Menu. I recommend you NOT add new properties from here, but it allows you to see all the properties and the underlying Relevance for each.
One note about the “_Enterprise_ServerClientRegister_MaxChildCount” setting, if you tell the Relay to only allow 1000 clients, that is all it will allow to register, period. You might want to set the limit a little higher to start with just in case you find need more Relays. You don’t want to end up with a bunch of isolated clients that can’t find a Relay.
2 Likes
@Witwicky Regarding protecting the network against ICMP floods, @TimRice pointed out 5 settings to use. This article discusses them and gives recommendations for what values they might be set to based on size of deployment and level of distributivity.
1 Like
Question for you BigFixNinja… The article you listed has several grammatical errors, so I wanted to confirm that _BESClient_RelaySelect_MaximumTTLToPing default truly is 20 hops.
In my case, I haven’t changed or added a value (yet) but I do have a small number of endpoints on the raw Internet in Bangalore connecting to a DMZ relay in the US with a hop count over 20 and as high as 83. Is that because I have the setting “_BESClient_RelaySelect_FailoverRelay” set to that DMZ relay? Basically the default is 20, but since it can’t connect, it selects the Failover, essentially bypassing any “_BESClient_RelaySelect_MaximumTTLToPing” setting; default or otherwise?
Based on the setting being documented here:
The default value is 20 starting in version 7.0+ (so in all current versions)
That is right about the failover list. If for some reason the client cannot select a desired relay because either the hop count is too high or the network latency in sending and receiving the ICMP packets is too long, then the client will timeout in its attempt to do automatic relay selection and start on the relay failover list in order of the entries listed on the relay failover list setting. This is the setting you will want to use to define multiple relay failover candidates:
_BESClient_RelaySelect_FailoverRelayList.
You can try to increase the MaximumTTLToPing to 255 and test to see if that will help that endpoint to select its desired relay. You may also want to set this setting and increase it to its maximum as well:
_BESClient_RelaySelect_PingDelayMicroSeconds
Type: Numeric
Version: 5.1
Platform: All
MinNumeric: 0
MaxNumeric: 1000000
Default: 200
Requires Client Restart: NO
Description: Delay this much between ping groups during relay selection.
This will allow for more time between the ping groups and adding that time increase the total time the listener will remain open waiting for an ICMP packet to come back (good for high latency environments).
Thanks for confirming. I didn’t know multiple failovers could be set in that field using semi-colons.
Hmmm… The document lists the format as:
_BESClient_RelaySelect_FailoverRelayList = "relay1.company.com"
I have been using:
_BESClient_RelaySelect_FailoverRelayList = http://relay1.company.com:52311/bfmirror/downloads/
Can anyone confirm which is correct?
Like anything, it’s a balance of administration overhead and best performance…
For this specific setting the correct format is just the DNS resolvable hostname or the IP address. The URL formatting is not needed (and not accurate). The URL formatting is only required in the __RelayServer1 and __RelayServer2 settings.
That’s disturbing (I’ve had it wrong for over a year)… I’ll correct these but I think it may have been working just the same. Thank you again.
Note there are two settings for managing failover’s:
_BESClient_RelaySelect_FailoverRelay
Type: String
Version: 5.1
Platform: All
Default:
Requires Client Restart: NO
Description: failover relay used if configured and nobody is responding to pings. Like __RelayServer1, it should be of the form http://server:52311/cgi-bin/download
And
_BESClient_RelaySelect_FailoverRelayList
Type: String
Version: 9.0
Platform: All
Default:
Requires Client Restart: NO
Description: A semicolon delimited list of failover relay names used if configured and nobody is responding to pings. If present and not empty, it replaces _BESClient_RelaySelect_FailoverRelay.
The _BESClient_RelaySelect_FailoverRelay setting requires that the parent relay be in the URL format.
The _BESClient_RelaySelect_FailoverRelayList should be used instead of the _BESClient_RelaySelect_FailoverRelay as it is a newer setting and can be used to define single failover relay parents as well as multiple failover relay parents.
So I had it correct… I use the first one in my clientsettings.cfg file. But sounds like we should transition to the newer.
And you’re listing /cgi-bin/download when I have (and the docs show) /bfmirror/downloads/
/bfmirror/downloads/ is the correct one.