Limit Connections to Relay Based on Distance

I thought I recall there being a Relay Setting that would prevent endpoints from connecting to a relay if the endpoints distance was over a specific value. For example, if the setting was 5, endpoints with a distance 0 to 4 could connect to the relay; anything over that would be rejected and need to look elsewhere.

1 Like

Yes. I think you’re referring to _Enterprise Server_ClientRegister_MaxHopEstimateLimit

This is typically controlled on the client with setting _BESClient_RelaySelect_MaximumTTLToPing to prevent the clients from looking for relays more than a certain number of hops away. If you only have a few specific relays that you want to limit hop count to (but other relays where a larger hop count is fine), then the option Aram provided is the correct one.

There are many cases where it makes the most sense to limit what clients can select which relays partially through the combination of network firewall rules / through relay affiliation groups.

as far as I know, this is supposed to be the exhaustive and authoritative public document on BigFix Client Settings: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Configuration%20Settings

There are many settings that exist in other places in IBM documentation that are not included in that document for some reason, and then there are other settings that are not published in any documentation and are referenced here and there on the forums, and then there are still others that aren’t really listed anywhere.

As an example, @Aram 's suggestion of _Enterprise Server_ClientRegister_MaxHopEstimateLimit is not listed anywhere I can find except for mentions on random old forum posts and is completely new to me. This seems to be a way to try to limit things from the perspective of a particular relay and this setting would have no value or effect on non-relays / non-root servers. It seems like this setting would cause a relay to reject a client rather than a client reject a relay which could have slightly different implications. This setting seems like the right choice for relays that are at a branch office where you want that relay to only be a relay for clients within that branch, but again, a network firewall rule is probably a better option and/or relay affiliation groups.

@steve 's suggestion of _BESClient_RelaySelect_MaximumTTLToPing is the setting I was aware of that relates to this, which is a setting that has an effect on the client and how it selects any and all relays, not just a specific relay. It wouldn’t be a good idea to set this too low as it would potentially prevent the client from selecting any relay if it is in an unusually remote location. I’m not sure if that would also prevent the client from selecting the root as a fall back, or if that option is always open to it regardless of this setting.

Thanks everyone. I used the _Enterprise Server_ClientRegister_MaxHopEstimateLimit at a previous company with good results (if that truly is the one I was thinking of; I’ll try it today). And your right in its purpose: We have a relay at a smaller site with lower bandwidth and we bandwidth issues during a larger patch deployment where external endpoints were connecting to it. We want to reject those with larger distant counts and kind of reserve that relay just for the local site. I’m not at the point were I want to implement bandwidth throttling or relay affiliation. I just assume keep things as simple as I can if I can.