Client with no connection to server?

Sherpapsy · May 16, 2016, 8:24am

I’m curious if I could build an infrastructure where the clients can only communicate with relays, and not the server itself. Ever.

This post suggests it is possible:

The architecture will look like this:

Server<—>FW1<—>Relay<—>FW2<—>Clients

Clients will be able to see and communicate with relay through FW2, but not able to see or communicate with server though FW1 and then FW2. Relay will be able to communicate with server through FW1 and clients through FW2.

I understand the need to perform extra steps to configure clients to use relay during installation.

Thanks!

strawgate · May 16, 2016, 12:57pm

This is a very standard configuration – the only required step is to specify a relay at installation time: http://www-01.ibm.com/support/docview.wss?uid=swg21505838

See also: http://www-01.ibm.com/support/docview.wss?uid=swg21506065

JasonWalker · May 17, 2016, 12:17am

I’ll echo what @strawgate said; not only is this a standard configuration, but it’s actually the recommended configuration. There’s a diagram at https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/TEM%20Relays that shows a very complex deployment including multiple branch offices, Internet relays, etc.

A best practice is to isolate the BigFix Server and Console clients (maybe a Terminal Server hosting the console) within a private network segment, so that both Console and Relay access to the server is limited. A small number of “Top-Level Relays” would communicate directly with the server, and other Relays throughout the enterprise form a hierarchy with the “Top-Level Relays” at the top of the chain.

Clients and Relays need ICMP and tcp/52311 (by default, you could change it) traffic “upward” to their parent Relay; and Relays “should” allow udp/52311 downward to their clients (a UDP message is sent to clients when there is a new content/action/etc. available).