Fixlet - Ping Remote Server

lions1855 · June 4, 2020, 1:05am

Hi Guys,

I am working on deploying an application that once installed, it needs to register the computer with a remote server. If the endpoint is in a remote network, home or hotel, and cannot reach the server, it will be useless.

therefore, I would like to create an if statement before starting to install the application. For example,

if {ping remote server successful on port 12345}
msiexec /i setup.exe /qn
endif

Can someone provide me with a good method for doing this fixlet?

cmcannady · June 5, 2020, 5:05pm

@lions1855, because the relevance language is read-only, you cannot execute a command like “ping” within substitution relevance (like your example above) or inline content relevance.

There are a couple options with a use case like this. For example:

An infinitely reoccuring policy fixlet that populates a property in a custom analysis on some interval with the ping. Your MSI installer would then leverage that ping property contains the desired value to proceed.
Expand the scope of your MSI installer fixlet to include execution of the prerequisite ping commands to determine if on-network or VPN to proceed with software installation. Said fixlet would then repeat on some interval until software has been installed. If not on network, the fixlet simply exists without installing.
Create a new fixlet that tests the ping condition. Add ping fixlet and MSI installer fixlet to new baseline. Make sure to uncheck the “Run all member actions of action group regardless of error” so that the ping failure stops the MSI execution.

Assuming that you proceed with option #2 or #3, make sure that the “Reply this action” on the “Execution” tab for the new action is set correctly.

I hope the above is helpful.

TimRice · June 8, 2020, 9:45pm

One choice might be to look at things like “DNS Servers”, “DHCP Servers”, etc to try and determine if the client is “Inside” your network or not. I find that DHCP and DNS Servers tend to not have too many instances inside even large networks.

DNS Servers (Windows)
Q: (addresses of dns servers of network)

DHCP Server (Windows)
Q: if (exists adapter whose (address of it != "0.0.0.0" AND dhcp enabled of it) of network) then (dhcp servers of adapters whose (address of it != "0.0.0.0") of network as string) else "n/a (Static IP)"

lions1855 · June 8, 2020, 10:50pm

Tim,
This is really good stuff. Now, I am concern about the machine being outside of the organization network, like connecting from a home wireless or hotel. I would like to include in the fixlet statement like an if (exist or in other words, the end-user’s computer can reach the public ip of our organization’s server. Then, if it is true, to continue with running the fixlet script.

anon44738219 · June 11, 2020, 2:56pm

if {ping remote server successful on port 12345}

I wanted to chime in here on a sidebar as a former network guy.
“Ping,” you should expect me to say, “doesn’t use ports.”
And then you should expect another former network dude to bring up UDP ping, followed by a flamewar.
So, while all that is true (besides the flamewar), nobody else cares. We want a ping that uses ports, and usually that means TCP.

Most UNIX/LINUX versions have a “tcping” package in their repo, if not in their install. For Windows, a fellow named “Eli Fulkerson” wrote a TCPing that works great. But if you can’t use third-party software on Windows, the next-best thing is Powershell’s “Test-NetConnection” which has an alias of “tnc”.

TCPing gives you output very, very similar to just Ping. Test-NetConnection/tnc is much less useful, especially across spotty connections (which, these days, very few people have), but on the upside tries both a TCP SYN handshake and an ICMP Ping. Especially on a LAN, this can help you determine when the host is up but the service on it is not (TCP fails, so service is down, but ICMP succeeds).

I’m no BigFix pro, but I can imagine a couple ways you could retrieve the results of these tools to tell functionally have BigFix ping a server on a port for you.

lions1855 · June 11, 2020, 3:04pm

Oryx, This is exactly what i was looking for. Thanks I know enough about network and commands. But, I am still learning how the fixlet works inside bigfix, and the syntax.

JasonWalker · June 11, 2020, 3:51pm

All great points! I was going to chime in with similar, and I was actually building content to use Test-NetConnection to solve a customer problem…only to find that we have bigger problems too.

Testing the TCP SYN alone is not enough in some cases. Layer-4 firewalls, that do protocol inspection will allow TCP SYN to connect (so Test-NetConnection is successful), but then send resets and block connections when they don’t like the protocol (so BigFix fails).

Test-NetConnection may work fine in some/most deployments, but in other cases we may need to actually download a file from the relay to be sure everything is allowed at layer-4. More info on that to come.

JasonWalker · June 11, 2020, 3:56pm

Back to the original use case, what happens if you try to install and can’t reach the server? Does msiexec roll back with an error code? Might be easiest to just try the install, let it fail, and track {exit code of action} for status and retry/reapply options on the action to retry later.

JonL · June 12, 2020, 2:02pm

Additional options for testing ports would include Wget or curl if it is a web-based port. Microsoft’s PortQry tool is also very useful on Windows systems.

Example syntax:
PortQry.exe -n TARGET -p udp -e 135 -sl -l c:\temp\logfile.log
PortQry.exe -n TARGET -p tcp -e 445 -sl -l c:\temp\logfile.log
continue if {exists file “c:\temp\logfile.log” whose (content of it contains “LISTENING”)}