I have a question regarding the configuration of relays in BigFix. Specifically, I would like to know if it is possible for computers to access a DMZ relay without adding the relay to the masthead.
Here’s a brief overview of my setup:
A main BigFix server.
Two internal relays (Relay1 and Relay2).
A DMZ relay (child relay) that communicates with Relay1, which is its parent.
The challenge is that I have some remote units within the same country that need to connect to this publicly available DMZ relay. However, if I add the DMZ relay to the masthead, any endpoint with our masthead file will have visibility to it, which is not desirable.
My question is:
Is it possible to keep the DMZ relay out of the masthead and still allow specific remote computers (e.g., those working from home in the southern region) to connect to it, without granting access to others (e.g., those in a different region)?
Blocking access via firewall is not an option since firewall rules only apply to traffic coming from outside the country.
I would appreciate any guidance or recommendations on how to achieve this within BigFix. Additionally, if the relay is not listed in the masthead, will remote computers be unable to detect or connect to it?
You do not have to include a DMZ Relay in the masthead for ‘external’ Clients, no.
At a high-level, Clients know about Relays in 3 potential ways:
Auto-selectable Relays are defined in the relays.dat file in the actionsite
Manually-defined Relays (i.e. specifying the Relay(s) that a Client should attempt to connect and register with including Primary, Secondary, TertiaryList, Failover)
Fallback Relay defined in the masthead
I’m not sure that I understand what you’re trying to achieve exactly, but it sounds like you’d have at least 2 potential approaches with both manual Relay selection/configuration (which can be dynamic based on policy actions), and with automatic Relay selection (possibly refined with Relay affiliation). Auto Relay selection (with or without affiliation) with a DMZ Relay may not be feasible if you’re not able to open ICMP to it.
You could also probably setup the value for _BESClient_RelaySelect_FailoverRelayList in either the clientsettings.cfg file for new installs and as client setting for existing clients and include your external relays so that if one of the auto-selectable relays aren’t available, they would attempt the public facing relays from that list.
_BESClient_RelaySelect_FailoverRelayList
This setting contains a list of failover relays to choose from when no relay listed as primary, secondary or specified in the tertiary list responded to pings. This setting, first introduced in BigFix 9.0, is a semi-colon delimited list of relays to try. For automatic relay selection, see Relay Affiliation. If specified, this setting overrides _BESClient_RelaySelect_FailoverRelay. (Example: relay1.company.com;192.168.123.32;relay2.company.com)