I have a situation where management wants to isolate all of our enclave networks but still patch with the main BigFix server that’s on our main network. Just one of those enclave networks WILL be allowed to reach out and communication bidirectionally to my main BigFix server on our main corporate network. And from within the chosen enclave network, it will be allowed to talk to all the remaining enclave networks. What do I need to do to accomplish this?
So, it will look something like this…
#0 MY CORP NETWORK (MAIN BF SERVER)
#1 Enclave network that will be allowed to communicate bidirectionally to CORP network main BF server ( maybe a relay?)
#2 through #7 enclaves allowed to report to the #1 server in the first enclave network. These servers are NOT allowed to talk to BF main server directly, only to #1 network.
My question really is, what type of server needs to be in the first enclave that’s allowed to talk bidirectionally to the main BigFix server? Will a relay work, with all other enclave network servers configured to point to that relay server, or do I need something else? Like maybe a DSA server?
Did that make sense? Currently all these servers connect to my BF server, but management wants tighten down the network enclaves a bit… so, I’m trying to figure out the best way to continue patching with BF.
If I am understanding correctly, you will have a relay in each sub networks and they will be able to speak to the relay in the 1st enclave bi-directionally? The relay in the 1st enclave can speak bi-directionally to the root server?
Yes, you are understanding me correctly. Thank you for your answer!
How do I get the client servers in each sub network to connect only to the relays in each network, or to the top level relay if I won’t be able to see the main bigfix server until they are pointing to the relays? Is there a line in the actionsite file that can configure that?
You’ll need to configure client settings for relay selection. My preference is to configure _BESClient_RelaySelect_FailoverRelayList but you could also do __RelayServer1 and __RelayServer2
(the advantage to using FailiverRelayList, is that you could use one value for all of them - a list of all of your Enclave relays. The client tries each of them until something responds.
With the __RelayServer1 method, you’ll need to use different settings and manage separate install packages for each Enclave.
Thanks for this information. This will be helpful.
Since most of the clients are already online and reporting to the bigfix server currently, I should be able to add a secondary relay, which would be the newly installed relays, and when it fails to connect to the first one (old) it will look for the secondary (new) relay. (I hope) The new clients are the bigger challenge. I will look at the documentation you referenced.
I am not using the Client Deployment Wizard, fyi.
In reality, all clients in all the enclave networks will probably be allowed to connect to the top level relay… The top level relay however is the only client that will be allowed to talk to the BigFix server. But I’ll probably put a relay in each enclave anyway.