F5's and DMZ Relays

Currently we have 6 DMZ relays used when clients are not VPN’d in so they can still receive patches. We currently have around 3000 laptops that use this method when not using VPN. Our next step is to bring part of our AWS cloud servers in from the internet. There will be initially like 3500 servers. So we have to point them to the DMZ and it seems a daunting task unless we can use a load balancer. Our thoughts are to add more relays as needed but to use F5’s so we do not have to continuously mess with Config files. Is anybody out there having any success with F5’s. If so can you help a little with the configuration that has been successful for you. Has anybody else found alternative ways that work well and not overly cumbersome? WE already own the F5’s and they are already in our DMZ so no costs there. Untimately will have like 10000 endpoints coming over the internet with no VPN and no LAN connection to get managed by BigFix. My initial testing with AWS\Internet client has been good but we have to set the relays manually in the config files during install so this would be difficult at best with thousands trying to manually load balance.

Hey – im hoping someone else can help you with the F5 stuff – but I wanted to ask a related question.

Have you thought about standing up relays in your various deployed AWS regions and using automatic relay selection with relay affiliation?

You can setup relay lists like AWS_NA, AWS_SA, AWS_EMEA, AWS_ASIA and the clients will load balance themselves between relays in the groups and will automatically failover if the relay goes down.

Essentially you would bootstrap the client with your current DMZ relay once the client gets initialized it performs relay selection and picks the AWS server in its region.

Just curious

Bill

Yes we have tested every which way but the powers that be want each and every endpoint to go directly over the internet with no VPN or any such tunnels. I was also hoping to maybe connect the clients then switch them to affiliation groups pointing them to the DMZ but I’m thinking that would not work.

1 Like