DMZ BES client not reading the clientsettings.cfg file for initial registration through DMZ Relay

We have one DMZ Relay(DMZRelay1) setup with required ports(52311,ICMP) opened for remote client communication . While trying to install the client for the first time on remote machine(Over Internet) its not reading the inputs from clientsettings.cfg file & directly trying to communicate with the main BES server which is not reachable from outside network.
clientsettings.cfg file is kept along with Setup.exe & Masthead.afxm during installation,which contain below configuration;


We are able to nslookup the DMZRelay dns, also tried restating client & relay services… kindly assist us on what is need to be done here? are there any registry settings required on client machine?

Check the Registry to see if the above settings are stored and correct: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client

1 Like

Does the name resolve from outside your network?
Is the host readable via TCP/52311 from outside your network?
Is the relay configured as an authentication relay? It ought to be for security, but there are complications if the client hasn’t already phoned home and received its client key.
The client log will give you valuable insight.

1 Like

Registry values at above location are pointing to the Root server but not showing the DMZ Relay server entries as mentioned in clientsettings.cfg file. I tried correcting __Relay_Control_Server1 to DMZ server but the value is getting changed back to root server after BES client service restart. How can I correct this?

no authentication applied for relay,Able to resolve the DNS from outside,also able to telnet through 52311 from outside. its just not understaning that it needs to connect to DMZ relay which is mentioned tn clientsettings.cfg. I guess this is related to registry settings but not sure what settings are required on client?

You need to know why the client install isn’t using the cfg file, but if these are brand new clients there is an initial ‘handshake’ with the server to give the clients some initial information and it appears that the only thing your clients know about is the root server (which they can’t reach).

I think the best way is to not set the client to use the DMZ relay as its primary relay. I can’t remember the setting name, but effectively you allow the client to auto select it’s relay, but you give it the external name or address of the DMZ relay as its failover relay. Look in here for threads on DMZ relay from around April last year. I have no idea why there was a sudden interest in such things at that time.

1 Like

I agree with @trn’s assessment. I’d suggest including FailoverRelayList with entries for both your DMZ Relay and your root server (and/or top-level relays)


This setting contains a list of failover relays to choose from when no relay listed as primary, secondary or specified in the tertiary list responded to pings. This setting, first introduced in BigFix 9.0, is a semi-colon delimited list of relays to try. For automatic relay selection, see Relay Affiliation. If specified, this setting overrides _BESClient_RelaySelect_FailoverRelay. (Example:;;


This is the setting:


This also works:

See these examples:

These scripts do NOT currently validate the installer that is downloaded, which they should. They also only primarily support x86 based platforms, but adding more is possible.

1 Like

Thank you! With Failover Relay option, able to register the client with DMZ relay. Still if you could help me with below info.
Any Idea why same is not working with Clientsettings.cfg file where we are explicitly providing the DMZ Relay server which is accessible but client is not acting on those info. from cfg file.
Is this something to deal with name override Fixlet that needs to be applied on DMZ relay?

If you’ve tried multiple times on the same machine, you might need to use the BES Remove utility to ensure you’ve completely removed the BigFix client. Sometimes having remnants from a previous installation causes the use of clientsettings.cfg to fail.



I have already tried using BES removal utility. Still registry values are pointing to Root server instead of DMZ relay. Is there any way to troubleshoot CFG file issue(Client is not applying clientsettings.cfg parameters)?

Then install the client using the setup.exe and clientsettings.cfg and masthead all in the same folder and that folder must be the current working directory. Are you setting the _BESClient_RelaySelect_FailoverRelay setting to the DMZ relay? Does the DMZ relay require authentication? are you providing the authentication password?

As soon as the client is installed using Setup.exe and clientsettings.cfg you should check the windows registry to see what client settings are in effect and if they are the ones you expect. On x64 Windows, you should be looking here: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client

You could stop the bes client service, change the settings in the registry, then start it again and see if that works as a troubleshooting step. If you use the bes remove utility, make sure the registry settings are also deleted.

1 Like

I created a powershell script that should do something similar as the BES Remove Utility, and what I think is required to fully uninstall BigFix and then reinstall with updated client settings in order to specify a new failover relay:

Ideally I’d capture the client install folder location before the uninstall then delete that folder specifically, but the script will work with default locations as-is, though it does assume Program Files is in English, which could also be abstracted.

You should be careful using this script or the BES Remove Utility since they both delete things on the system.


This helped me with the machines where previously Client was not able to get installed with Failover relay setting. But this doesn’t resolve the client settings cfg file issue, still the configuration is not getting applied from cfg file(have to add manual entries in the registry). Finally I have edited my masthead through Admin tool & now the installation is working fine. Thanks for all your help!

1 Like

that is very odd, though my install script may try to make the file itself.

Are you certain they were all in the same folder and the folder was the current working directory?

It does look like you were using the EXE installer, which is the right one for cfg use.

1 Like

Yes, I did executed the setup from command prompt. If that’s what you mean by the current working directory. cfg,setup & masthead were in the same folder.

Hi Kiranmachale

We have the same issue with cfg files. In some cases Windows installer does not read the cfg file at all, no idea why, probably something permissions related. In such cases you can add them manually to registry.

I can see in your post that you edited incorrect key. You should edit __RelayServer1 not __Relay_Control_Server1 !

  1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BigFix\EnterpriseClient\Settings\Client
  2. Create Keys __RelaySelect_Automatic and __RelayServer1
  3. Inside of those Keys create String values called “value”
  4. Put 0 in __RelaySelect_Automatic and your url to relay in __RelayServer1
  5. Restart BES Client service

You can check other entries in regedit to check if the structure is correct.

Hope it helps!

1 Like

That should be the correct method.

As long as you are doing something like:


and not:


Would love to know more about these problems.

I generally prefer to use the failover relay client setting because it works regardless if the client is set to automatic relay selection or manual relay selection.

1 Like