Configuring VPN relays

Hi All,

Recently i got a new requirement from my client stating that they want to configure VPN and through that VPN they want BigFix client to communicate to their BigFix server.

Well i know the concept of BigFix DMZ architecture and i have suggested them the same, but they don’t want to configure DMZ, instead of DMZ architecture they want to configure / communicate bigfix client via VPN.

I have browsed few topic in the forum where i was able to see VPN relay was discussed a lot of time but i have not received any kind of information regarding that. I would like to know more about VPN relay, how to configure them and how to use them. Any one who can help me in this issue will be a great help.

Thanks in Advance.



In a sense, it is the clients that need configured, less so the VPN relay itself.

If you create relays that accept clients connect to the VPN networks, then you in effect have VPN relays. Another option is to have relays that only accept clients connected to the VPN networks so that they don’t end up handling too much traffic from both internal and VPN clients. This also has the benefit that if a client is talking to a designated VPN relay, then you know it is a device on the VPN.

There is some discussion here:

Generally you have 3 different kinds of client to relay connections:

  • Internal
  • VPN
  • DMZ

In this specific case, you are talking about only have 2 of the 3.

Many devices never leave the building, so they are always “Internal”… Servers and Desktops for example.

Other devices can switch between any of the 3 possible modes.

For those devices, it is key to enable _BESClient_RelaySelect_AlwaysOnIPListChange so that changes to network connection will cause the relay to select a new relay automatically. BigFix will do this by default, but ONLY if the network connection currently being used goes away, while in the case of VPN, you are adding a new connection in addition to the existing one. This actually matters most to have clients go from DMZ relay to VPN relay, less so if the only options are internal or VPN relay.

Is relay auto-selection currently in use?
Does ICMP work over the VPN?

If ICMP (ping) doesn’t work for the clients to the VPN relays, then automatic relay selection will not work, in which case you should use the failover relay list settings for VPN or DMZ relays… otherwise should allow ICMP on the VPN to the VPN relays.

If ICMP (ping) does work for the clients to the VPN relays, then automatic relay selection should just work, but you can use relay affiliation groups to augment how it works. Generally you want a client to prefer connecting to an internal relay, then if that fails, try a VPN relay, then if that fails, try DMZ relays.

You should generally have at least 1 relay configured as a failover relay in case automatic relay selection does not work. This might just be a typical VPN or DMZ relay, but if you have a large number of clients, you might actually want a specific failover relay that is only for clients using the failover mechanism so that you know that clients currently talking to it are having an issue. Also, in this case, you probably want the failover relay to accept any client, internal, external, or VPN, so that it can be used as the failover for all cases, or using a failover list, this could actually be 3 different relays in an ordered list: internal;VPN;DMZ

Hi @jgstew Answering to your questions:

  1. No we have not enabled relay automatic selection in our environment.
  2. We need to check if ICMP is enabled or no.

I have few question which are :
like we set a DMZ relay for the clients which are going to communicate over the internet, the same way we will have to set a VPN relay ?

If yes, then what settings needs to be deployed on the VPN relay, as for DMZ relay we nat it with the global dns and open port 52311 TCP/UDP.

Thanks in Advance,


Then ICMP shouldn’t be a factor, manual relay selection wouldn’t use it.

You could then just use a VPN relay as a failover relay setting if you aren’t going to use automatic selection and don’t have DMZ relays.

not sure what you mean by this. It should be similar, but it using NAT or not depends entirely on your network design and configuration.