Is there any way to restrict computers from accessing the DMZ relay?

Hello everyone,

I’m facing an issue in my environment with BigFix relay selection and would appreciate some guidance.

Here’s the setup:

• We have an external relay in our Azure cloud, specifically configured to support remote users working in hybrid or home-office setups (around 150 people).
• Internally, we have 11 relays on our network, with a well-organized relay hierarchy utilizing AdvertisementList and Seeklist configurations. These ensure each system—whether a desktop, laptop, or server—automatically connects to the correct relay based on location, with failover to other relays or the main server if their assigned relay is unavailable.
• Only a small subset (about 80 computers) uses manual relay selection, while all other systems are configured for automatic relay selection.

The issue: Despite this setup, I’ve noticed that internal servers, desktops, and other systems are sometimes connecting to the external relay in Azure, even though they have closer, more appropriate relays available internally. The external relay should exclusively serve laptops for remote workers, not internal systems.

What I’ve tried:

• I attempted to set a password on the DMZ relay, limiting it to only the laptops in the client settings. However, as jgstew pointed out, this approach doesn’t effectively restrict other systems from connecting to the DMZ relay.

Question:
Is there a reliable method to make the DMZ relay inaccessible to internal desktops, servers, and other systems, while still allowing it to serve remote laptops and maintaining automatic relay selection? I’d like to avoid any changes that might impact the relay hierarchy or cause interruptions in relay connectivity within the network.

Any suggestions or solutions would be greatly appreciated! Thank you in advance!

Those client that choose the Azure Relay - Have they selected it through Automatic Relay Selection or Manual?

Yes, they have done it through automatic relay selection.

If you have Relay Affiliation setup I would probably recommend you turn on debug logging on one of the clients that is connecting to the DMZ relay and then do a relay auto selection on it. When looking at the logs I would imagine you will see an indication of why it went to that server, perhaps it thinks it’s a shorter hop count away or perhaps it’s not updating it’s relays.dat file for some reason. It might be a bit of a stretch, but you don’t have your DMZ relay server setup in the _BESClient_RelaySelect_FailoverRelayList client setting, do you?

you might also grab the relays.dat from an endpoint reporting into the dmz and see what the client thinks it’s relay affiliation is set to and what the weights are set to if they have been changed. You can download the relays.dat parser from here: https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/Relays.dat%20Parser

Yes you can. Are you using automatic relay selection?

If so, just apply the setting “_BESRelay_Selection_AutoSelectableRelay” = 0. After everything checks in, clients will no longer use it by default.

For DMZ clients you would want to probably force those clients to not be automatic, or use a combination of affiliation groups for various clients.