Communication between Servers in DMZ and BigFix Server


I need your help to clarify a point that I still can’t explain.

I found the following BigFix configuration on a customer site:

BigFix Servers Version 9.5.9
One relay
Hundreds of servers (AIX, Linux, Windows) in a partitioned and secured area (internal DMZ). Port 52311 is not open between these servers and the BigFix server
The relay is in the DMZ, port 52311 is open between the relay and the BigFix server
On the hosts file of the DMZ servers, the client has given the IP address of the BigFix server to the relay (strange)

With this configuration, which is normally incorrect, the client can see the DMZ servers on the console. I also manage to execute some fixlet on these servers: Stop starting the agent, etc.
For the moment, the client only needs the inventory module and has not yet started using the Patch Management module.
On the console level, no server is assigned to this relay

I explained to the customer that this installation is not in accordance with the BigFix recommendations and that it was necessary to use a Relay configuration in DMZ: Relay on the LAN + Relay on DMZ and all the following configuration. Except that the customer insists on having a precise explanation of his configuration and explains the problems that his installation causes, especially since the DMZ servers are clearly visible on the console with all the information on the inventory

Can you give me a feedback and tell me why the servers are visible on the console without respecting the recommendation. I remind you that the port 52311 is not open between the servers and the BigFix server


The reason this technically works is that the Clients are being tricked into thinking they’re reporting directly into the BigFix Server given the inclusion of a row in the HOSTS file on the DMZ servers that has the BigFix Server’s Gather URL resolving to the DMZ Relay’s IP Address.

This approach works, but there are at least 2 potential draw backs as I see it:

  1. HOSTS file modification is required…which is likely being done manually and/or requires maintenance
  2. In the BigFix Console/WebUI, the DMZ Clients will report that their Relay is the BigFix Root Server, which is not technically accurate, and can introduce management complexity

There are several other ways to manage DMZ-based endpoints using BigFix, including the mechanism I believe you are referring to:

There are also Relay selection considerations (again, several potential approaches), including leveraging Relay Affiliation.

1 Like

Thanks for the answer,

If I understand correctly, there is no inconsistency in this solution. It does not present any security risk. It is even supported by HCL. Is this the case?

In fact, I still can’t find a valid reason to convince the customer to change the architecture and set up a Relay DMZ configuration as recommended in the official HCL BigFix documentation


It sounds like they do actually have a DMZ Relay configuration now, just that they are using HOSTS file games rather than setting the FailoverRelay or FailoverRelayList client settings for the clients to find that relay at registration time.