That’s actually a very common use-case that should serve you well. In many of our largest deployments, none of the clients can reach the Root Server, they all go through Relays only, and that’s the configuration I’d recommend to reduce the workload and the attack surface of the root server.
Some considerations -
- For initial registration, you should configure the isolated clients with
_BESClient_RelaySelect_FailoverRelayList at install time, directing the client to the relay(s) it can reach since they won’t be able to register directly on the root server.
The Relay(s) serving the isolated network may not be able to resolve the names of their upstream relays or root (given an isolated network might use split DNS). You may need to add DNS aliases on the isolated network, or HOSTS file entries on the isolated Relays to reach their upstream server.
For fastest response, you’ll want to allow TCP/52311, initiated in both directions, between the isolated Relays(s) and their upstream Relay/server. The upstream Relay initiates connections to notify the child of new actions or content, and the child relay connects upstream to gather the updated sites & downloads. If you cannot enable traffic from the upstream to the child, configure Command Polling on the child relays so it will periodically check if it can’t receive the notifications.
For notification traffic to the clients, you’ll want to enable 52311/UDP from the Relay to its clients, or enable Persistent Connections from the clients, or enable Command Polling on the clients.
- You might also consider the “DMZ Relay” configuration, where instead of the child relay connecting upstream, the upstream Relay connects outward to the child (DMZ) relay and establishes a persistent connection. That removes the need for any connections initiated upstream from the child relay.
- Given that these networks are probably separated for good reason, give some consideration to whether you need to divide Operator accounts or computer site subscriptions to limit who can send actions to which machines.