Concerns/Suggestions for managing two networks from one Root Server?

prolificant 2023-05-19 00:02:04 UTC #1

So I recently procured licensing to move from SCCM/WSUS on a second network to BigFix and am looking to improve efficiency if I can while I deploy. These networks exist within the same datacenter however are completely separate, with the second being fairly small. Hosting services repeatedly has been a huge time waster in the past. I have talked to my security team about perhaps allowing a VM on both sides to communicate with each other through our firewall appliances with rules to limit to 52311 traffic only and slapping a relay on the smaller network for agents to talk to back to the Root server on network one. No trusts or anything like that would happen, but I think I might be able to get approval for BigFix traffic only.

Can anyone think of any gotchas or limitations that would be of concern by handling it this way?

Thanks!

JasonWalker 2023-05-19 02:40:26 UTC #2

That’s actually a very common use-case that should serve you well. In many of our largest deployments, none of the clients can reach the Root Server, they all go through Relays only, and that’s the configuration I’d recommend to reduce the workload and the attack surface of the root server.

Some considerations -

For initial registration, you should configure the isolated clients with _BESClient_RelaySelect_FailoverRelayList at install time, directing the client to the relay(s) it can reach since they won’t be able to register directly on the root server.

https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Installation/c_windows_clients.html

https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/r_client_set.html

The Relay(s) serving the isolated network may not be able to resolve the names of their upstream relays or root (given an isolated network might use split DNS). You may need to add DNS aliases on the isolated network, or HOSTS file entries on the isolated Relays to reach their upstream server.
For fastest response, you’ll want to allow TCP/52311, initiated in both directions, between the isolated Relays(s) and their upstream Relay/server. The upstream Relay initiates connections to notify the child of new actions or content, and the child relay connects upstream to gather the updated sites & downloads. If you cannot enable traffic from the upstream to the child, configure Command Polling on the child relays so it will periodically check if it can’t receive the notifications.

For notification traffic to the clients, you’ll want to enable 52311/UDP from the Relay to its clients, or enable Persistent Connections from the clients, or enable Command Polling on the clients.

https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/r_client_set.html#r_client_set__cnot

You might also consider the “DMZ Relay” configuration, where instead of the child relay connecting upstream, the upstream Relay connects outward to the child (DMZ) relay and establishes a persistent connection. That removes the need for any connections initiated upstream from the child relay.

https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/r_client_set.html#r_client_set__rdmz

Given that these networks are probably separated for good reason, give some consideration to whether you need to divide Operator accounts or computer site subscriptions to limit who can send actions to which machines.

prolificant 2023-05-19 13:42:42 UTC #3

Jason,

This is exactly the info I was looking for. Manually adding the failover relay info upfront will save some headache for sure. I have a feeling that may not have occurred to me until nothing worked.

Thank you for putting the time into this response!