I have a test setup where I have a BigFix Server installed in a virtual machine. A BigFix Relay is installed in another virtual machine and both are in the same network and are able to communicate with each other.
My question is, how do I configure a client which is inside a network that uses a proxy with domain user authentication to talk to the relay over internet? The client is not joined to the domain.
Just to make sure its not an issue in the Relay side, I tested it out with a client that is using a seperate broadband internet connection and it works fine.
We recently made some changes to make the agents more proxy-aware (which is a pretty rare configuration because most people don’t want their agent talking directly to the Internet), but I am not sure if they can use domain authentication…
Question for you? Why would you want your agent using your proxy to contact the internal relay?
The Relay is not internal. There is only one Relay and the clients need to talk to the relay through internet.
The situation is that some clients might be in a network that has proxy settings as described above. Which is why I was wondering if there was any way in which it could be done.
Even if we consider putting a Relay inside the network, it’ll also be under proxy using domain authentication. It need not be a member of the domain as well. So what settings would I have to change to ensure that this Relay can talk to the main relay through the internet?
You can use the same technique to make a relay work through a proxy as you do to make the BigFix Server work through a proxy: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=105 (but use the BESRelay service instead of the BESGather service). Also, one additional step you will need will be to change the setting on the relay to:
_BESGather_Comm_UseUrlMoniker=1
Setting up a relay in the remote office is the best-practice to avoid using too much WAN bandwidth and additionally, it is probaby the easiest approach.
How would I install a Relay inside the network which has proxy?
I have installed a few devices inside them with the Client MSI; but even then, to push down the relay service, I need to be able to see these devices in the BES Console, which I can’t since they are inside a proxy network and are not able to reach the main relay.
Since the machine is not in the domain, we enter proxy settings and proxy authentication manually for using internet explorer and so on. The thing is, in the services tab, I can’t right click on the service and configure to log in using a domain account since it says that the account is invalid or doesn’t exist.
So, I tried editing the registry key as is the setup for the gather service. The thing is, i’m not sure where I should enter the keys URLMonAuthName and URLMonAuthPhrase for the Relay to work. Is it the same key as for the gather service?
Whatever Windows user you are logged in with (the user should have already set up the IE proxy settings and should have admin access on the system) is the user you can use for “Log On As” for the service.
There are other ways to do proxy authentication with settings, but I thought you mentioned that the proxy was NT authenticated and, if so, the basic proxy settings won’t work for the relay like this.
Even if the proxy is configured in the IE settings, we have to manually key in the domain user name and password when it tries to connect to the internet.
Would that affect the solution you just mentioned?
Ah… yes… that is a different proxy type than the NT Authenticated that I thought you were using… Try to also use these settings to configure the relay:
I uninstalled the Relay and Client in the PC which is in the proxy network.
Then I edited the clientsettings.cfg of the Client setup, added the Relay IP as the Relay we are using as the public relay. Instead of the Relay name, I wrote the Relay IP address just to make sure that it resolves. I also added the proxy settings values to this clientsettings.cfg file.
Once done, I installed the client in the machine again.
When I checked the log file in BES Client_BESData_Global\Logs, it tries to connect with the public Relay, but says GetURL failed.
I just took the above mentioned machine and took it to a network that is not in the proxy and it is able to connect to the server. So apparently the proxy settings configuration is not making any difference for the machine.
Any idea what else I can try?
Also, if I’m adding these keys to a relay in the registry, under which path should I put in these keys?
If the machine is joined to the domain, we do not have any issues.
In this test scenario, the machine is not part of the domain. So, we configure the proxy manually in the IE settings, and when we open the browser, it asks us for domain credentials to authenticate.
I guess I am not sure what to do… I think that something about that proxy type has trouble with our built-in proxy controls… and since you aren’t on the domain, you can’t log in as the domain user…
Is it possible to get a proxy exception or add the computer to the domain?