I’m trying to stand up a new DMZ relay, I can’t use telnet to verify my ports are open correctly, is there any good application to verify that the traffic is passing?
When i check logs, things seem to keep reverting to the old dmz relay. We want to setup a round robin type of setup on DMZ relays since our 1 is being crushed with traffic. I’ve got a new external DNS name and that works fine.
The connectivity test I use most often is to download a copy of the masthead file from the Relay using a browser. This helps check cases where the TCP connect succeeds, but the HTTPS protocol may be blocked by a layer-4 firewall.
https://your-relay-server.example.com:52311/masthead/masthead.afxm
If you’re using Automatic Relay Select, the Relay must also be ping-able. For the most part DMZ relays should not be pingable, and should instead be listed in the client settings as a Failover Relay.
_BESClient_RelaySelect_FailoverRelayList=internal-relay-1.example.com;dmz-relay-1.example.com
Yeah we have a layer 7 firewall and he only opened UDP port 52311. I’ve opened a case with bigfix as i can’t make the client point to the new relay, it keeps defaulting to the old one. Support took a bunch of logs. Hopefully they can find something.
Relay Diagnostics page is on 52311 of the relay. Can you use that to test?
https://MyRelay.com:52311/rd
You can also do Telnet MyRelay 52311
If you get a “not found” error, it is an indicator of failure
if you get a blank screen, hit esc 3x, that is an indicator of success.
The client must reach the Relay on 52311/tcp, not UDP.
It’s TCP from the client to the Relay for registration and site gathers, and UDP from the Relay to the Client to notify the clients about new actions or site updates.
It’s also TCP from a child relay to a parent relay, and TCP from a parent relay to a child relay, (or if using the DMZ Relay Config) TCP from the parent relay to the DMZ child relay as well.
i’m with you now, i can telnet to my old relay but not the new one on 52311… I’ll escalate to the firewall guy.
Summarizing the traffic again (I’m on a computer now, better typing than the phone 
)
Client -> Relay: ICMP, 52311/tcp
Relay -> Client: 52311/udp
Relay -> Parent Relay: 52311/tcp, unless using “DMZ Relay Configuration” described at https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_persistenconn2.html#c_persistentconn2
Parent Relay -> Child Relay: 52311/tcp
What has worked really well for me is stopping BigFix services and then using a program called iPerf on both the relay and the parent relay/master server. You then run a iPerf as a server on the parent and as a client on the DMZ relay. You can specify TCP and or UDP and then it will do a file transfers to confirm connectivity. Invaluable for the first time we setup the environment and prove to our networking teams any issues.
Example command lines:
Endpoint as server: iperf3.exe -p 52311 -s
Endpoint as client: iperf3 -c dmzrelay.domain.com -p 52311
Endpoint as client UDP only: iperf3 -c dmzrelay.domain.com -p 52311 -u
