What recommendations do folks have for hardening the security of a BigFix Relay that services endpoints that are outside our corporate network? We’ve done the typical things like turning on Enhanced Security and limiting traffic to only specific TCP/UDP ports.
@AlexaVonTess is dead on if you’re putting a BESRelay in your company’s DMZ.
Another option would be to implement a reverse proxy rule at your Internet facing firewall and transport TCP traffic on 52311 to an appropriate BESRelay inside the corporate network that has the Relay Diagnostic disabled or password protected.