Working on a large deployment with with 200 locations on mpls network. Need to install all agents using GPO and the agents need to install with automatic relay selection as the network is isolated from the BigFix server. I was reading the clientsettings.cfg file will not work with .msi installer. is that true and does anyone have a recommendation.
the design is to allow 3 local computers access the network to the toplevel relays for registration process and then can be upgraded to relays. The other computers in the site then with automatic relay selection can then connect to those local relays. Only those 3 can pass the firewall so the others need to be installed with automatic relay selection.
One is called “Fake Root”… basically have the FQDN in the masthead resolve to a relay that the client can reach instead of the Root Server. This is easiest if you can reliably affect the DNS resolution for the clients at each location to be different. This same concept could be applied to a hardcoded relay. You could have a relay set in the MSI or similar to mylocalrelay.org.com and then have that resolve different depending on location. This puts the complexity in the DNS layer instead of in the Relay Settings, which isn’t always an advantage.
I am also told it is possible to get a clientsettings.cfg to work with the MSI installer, but it is also possible to either edit the MSI directly and hard code the settings and just deploy that, or generate an MST and deploy both the MSI and the MST together and have one MST for each location that will have different settings “hard coded”. This can be done with Orca or maybe also SuperOrca.
when you say it is possible to get the cliensetting.cfg to work with the msi installer , what do you mean by that? I am looking into the msi installer and mst as well.
If you set the clientsettings.cfg for automatic relay selection are you expecting to see in the registry the following settings as well __RelaySelect_Automatic=1? Additionally what does relay control server1 and 2 setting mean as well in the registry.
I have done a test using a clientsettings.cfg with the 9.5.8 client MSI and can happily report that all my clients settings from the cfg were present when the install ran, and I included some custom settings that are not integral the Bigfix client. The cfg I used was as follows and located in the same folder as the MSI.
This for me is certainly an easier option than editing the MSI. Of course I was using a static relay with a pseudo fqdn purely as testing but you could just as easily use automatic relay or any other settings that might be applicable for your deployment.
So the C:\TEMP\BigFixClient folder what exactly did you have included in the folder? Was it only the BigFixAgent.msi , clientsettings.cfg and possibly the masthead.afxm file?
I don’t have much experience with GPO based deployment of software myself, but I thought it was easiest when deploying just a single MSI with no extra files?
We use a script in the GPO to minimize the amount of data that has to replicate over AD. The script does the checking if Bigfix is installed so only if the machine needs Bigfix installing the script will download a zipped the MSI and a zipped clientsettings (we use args passed to the script to control the URL for the files, the client installer filename, the clientsettings filename so can reuse the scmae script in various GPO’s just using different CLI args) and perform the install using the appropriate clientsettings file.
if you are installing new agent with automatic relay selection enabled and the network blocks the bigfix server , how does ICMP broadcast to relays that are allowed to commuicate as there is no relay.dat file to start with.
Don’t think the clients would work in those cases. Clients have to pull the list of relays and as on new install they only know about the main server, initial sync would be from the main server. If you had a fake root as described by @jgstew where the relay was able to talk to the main server and clients resolved the relay as the main server via a dns CNAME, you could overcome that issue.
I believe you are correct as even adding a relay in the same subnet and then installing the agent the first time with automatic relay selection , it was never able to see the relay. Thanks for all your support.
The way around this is to have failover relay(s) configured in the clientsettings.cfg file (or hard coded in MSI) so that the client will use them instead of the root server. Ideally they would be DMZ relay(s) so that any client could potentially get to them.
Then after the initial setup through the failover relay or root, the client will do automatic relay selection.
You DO NOT need “fake root” if you can configure the initial client settings. “Fake root” becomes more needed if you are only installing the MSI or EXE with only the masthead file and no initial settings so that the client only knows about the root server and nothing else.
It takes a parameter that is a relay, and sets that as the failover relay for the client at install time. It downloads the client from IBM directly and downloads the masthead from the provided relay.
I use install_bigfix.sh all the time. It is the only way that exists to use a clientsettings.cfg with the linux installer. (it uses AWK to turn it into a bigfix.config file)
You can also use a WMI filter to only install bigfix with GPO if bigfix is not already installed.
