I am reaching out to see how others have handled this type of problem. Customer has MPLS network with local relays. The network requires locking down port 52311 to only the relays due to congestion issues. However that now presents a new problem as the customer has already began adding new endpoints as described below. I know a clientsettings.cfg file can be added to endpoints at time of install but if that has not happened and it would be difficult to manage as this is a global company . So i am reaching out to see if some have come up with clever ways around new agent registration process.
This presents a huge problem.
- We install the BESClient on devices which have it missing via GPO. This would not work as we would need separate GPOs per relay location.
- We include a BESClient in our master image. We are in the middle of a massive PC deployment which includes said image with the BESClient pre-installed.
How would we begin fixing these devices which can’t connect? The challenge is we wouldn’t even know which ones they are at this point.
Do these problem systems have internet access? One option would be to set up an internet facing Relay that they could use for fist time registration. Once registered, they would get Relay.dat file and switch to their local relay accordingly. You could use this internet facing Relay as a fail over as well. Then, you would only need a single cleintsettings file pointing to the internet facing relay.
For ones that have already been deployed, you could add that same Relay address to their Registry via GPO.
That’s just one idea - might be a non-starter if the conditions aren’t right though.
Another option would be to use DNS alias, but again, conditions need to be right and it depends how complex your network is. This would allow you to use a single Relay ‘address’ for all locations that would locally route to the site relay.
Thanks those are all good ideas and I at one time understood the internet facing rout was available but now they are saying it is included with the MPLS network restriction.
Depending on how many sites you have, you could use the relay fail-over setting. This client setting allows you to set a string of relay addresses, and the client will try them all in order until one works.
So a single setting in your clientsettings file that basically lists your site relays.
Once connected you can revert back to auto select, or a sub-version of auto select called relay affiliation, or have policy actions enforcing manual relay settings.
Again, you could use GPO to shove this in the registry for those that have already deployed and are in ‘no-man’s-land’
Thanks and yes that seems to me the right approach to solve this issue. Good idea.
The setting you need is this one:
_BESClient_RelaySelect_FailoverRelayList
This setting contains a list of failover relays to choose from when no relay listed as primary, secondary or specified in the tertiary list responded to pings. This setting is a semi-colon delimited list of relays to try. For automatic relay selection you should look at the document on relay affiliation. If specified, this setting overrides _BESClient_RelaySelect_FailoverRelay. (Example: relay1.company.com;192.168.123.32;relay2.company.com)
This is also an useful resource when lookign at Relay setup:
https://www-01.ibm.com/support/docview.wss?uid=swg27046968&aid=1