How to deal with Bigfix relay with two network cards

RupG 2021-02-06 17:22:40 UTC #1

Hi, we have an existing working Bigfix relay 10.0.0.41 on Windows 2019 which has one network card. This network interface is only open to company network and Top level relays and agents with-in company network can communicate on this interface on port TCP 52311.

We are planning to add another network card to it (its a VM so it will be virtual NIC), assign Public IP and public DNS to that network interface and open Internet gateway firewall pointing to that new IP so it allows Bigfix clients on the internet to reach port TCP 52311 on this public NIC interface.

What steps or configuration change I will have to (any binding etc) do on this relay to make it work in this fashion or does this need no changes in config and Bigfix relay service will see the 2nd NIC card and will auto configure itself to gather agents reports on that interface and pass it on to Top level relay and will pass on the traffic from top level relay to internet connected clients. I could not find any details on this in my search in the docs or in this forum, so any help is appreciated.

JasonWalker 2021-02-06 18:51:39 UTC #2

The Relay Service itself will bind to all IP addresses, no special binding is required. You’ll need to restart the Relay service after adding the new address.

However if you are going to open it to Internet clients, I’d recommend a dedicated DMZ Relay. You should configure Relay Authentication on your Internet-exposed relays; doing so for a Relay that’s also serving internal clients can complicate matters. Exposing a relay to Internet clients without require Relay Authentication is a serious security issue.

Since ICMP (ping) is likely to be blocked from the Internet, you’d want to configure your DMZ Relay(s) in the clients _BESClient_RelaySelect_FailoverRelayList client settings so they can try this relay if no relays are pingable.

RupG 2021-02-06 19:25:32 UTC #3

Thanks Jason for your help and the details. So looks like I just have to recycle the relay service to make it work.

Yes, once its configured with internet facing NIC and IP, I will change it to Authenticating relay and it will only allow internet connected clients and I will be configuring it with an alternate public dns name and will add that to failoverrelay list.