Client installation error

Usage and Config Platform
1

Installed version is 9.5.7.90,
client installed is windows desktop. It happened to a group of 15 machines.

Error showed in client logs are as follow:-

   RegisterOnce: Relay does not support secure registration.
   RegisterOnce: Current deployment 'x-bes-minimum-supported-relay-level' masthead setting does not allow clear text registration.

this is a brand new installation, any way to allow clear text registration or set relay to support secure registration.
Client is registered directly with the BigFix Server. I have try to registered with one of the relay, it report the same.

2

Sounds like you require a certificate to communicate with your infrastructure. Is the cert included in your masthead?

1 Like
3

You may need to adjust settings in the BESAdmin tool to change how this is working.

You may also need to disable relay authentication on the relay specifically.

4

During Installation, I enabled the Enhanced Security and everything work fine.
Subsequently, I have Disable the Enhanced Security and installed in another group of computer, error occurs,
I enabled it again, reboot the BigFix Server, the error still exist.

How to ensure that the Enhanced Security is enabled or disabled?
Is there any setting to verify?

1 Like
5

Enhanced Security being on might be part of the issue. You may need to check the client settings of the relays to see if client authentication is set. It may also be something where the relay gets new default behavior by Enhanced Security being enabled, but need to be explicitly set to not use those behaviors when it is disabled.

I’d recommend filing a PMR with IBM Support about this issue.

Not sure who knows the most about Enhanced Security and it’s effects and how it may relate to this. @AlanM @Aram

6

Hi James,
Just curious, when turn on the Enhanced Security, does the firewall port required any other port opening?
Currently I have only allow 52311/TCP both way?
Is 443/TCP required?
I try to find the settings to disable/enable relay authentication, but no luck. possible to give a hint?
Many Thanks

7

TCP/52311 is all that is required between the clients and the Relays.
You need to have UDP/52311 from the Relay to the clients to allow notification of new actions unless you choose to use Command Polling (actually recommend BOTH UDP and Command Polling just in case, got that one from James a while back!)

8

did you ever find a solution to this?

9

You need to set minimumSupportedRelay to 0.0.0 to allow open client registration on relays. You can still enable client authentication on specific relays like those in the DMZ on a case by case basis.

The issue is that if this value is unset / unconfigured on new deployments, then it defaults to 9.5.6 while on older deployments that have been upgraded, it defaults to 0.0.0

You can see what this is set to in your deployment by consulting a current masthead / actionsite file and look for the line starting with x-bes-minimum-supported-relay-level and see what the value is set to. If this line does not exist at all in the masthead, then I believe it is considered to be effectively 0.0.0

1 Like
10

when these changes are made in BESAdmin will they propagate down as registry key changes or updates to the masthead? just trying to understand where these changes can be seen on the local systems.

11

That would be seen in the masthead (actionsite.afxm)

12

Thanks for confirming. That is what I thought but I am not seeing it propagate down and it’s been a few days… I also do not see the new value on the exported masthead when exporting via admin tool.