All settings described at https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/r_client_set.html
I think this breaks down into several categories
Keeping non-local traffic off the Relay
If you want the Relay to be autoselectable but only by the local clients, configure _BESRelay_Register_Affiliation_AdvertisementList
with an advertisement that only the local clients seek via their _BESClient_Register_Affiliation_SeekList
value. Do not include ā*ā in the Advertisement List, to prevent it from being an option for all automatic clients.
It takes more configuration, but you might also choose to make the relay only available via Manual Relay Select, in which case set _BESRelay_Selection_AutoSelectableRelay
to 0, so clients will only choose that relay through manual selection.
Using Relay Authentication doesnāt help in this case, because the registration key is only used during initial registration; once a client, anywhere, has registered to the deployment and generated its client certificate, the client can use that certificate to freely roam afterward to an Authenticating Relay; it can authenticate with its client certificate then, and doesnāt need the shared secret.
Thereās no Airgap capability that separates a Relay from the Root Server, or a Client from the Relay.
Keeping local traffic on the Relay
If using Automatic Relay Selection, set the local clients with _BESClient_Register_Affiliation_SeekList
that only includes the local Relay. Do not include ā*ā so those clients will not roam to any other Relays outside of the defined seeklist.
If using Manual Relay Select, set the clients to use only the local relay.
On the clients, set _BESClient_RelaySelect_FailoverRelayList
to include the local relay(s), so they will prefer to use the local Relay rather than failing-over to the Root Server if the local relay doesnāt respond to Ping or tcp connect. This can be set at installation time using a clientsettings.cfg so the client doesnāt try to reach the root server during initial registration.
If the local relay is down and cannot be reached, the client would eventually fallback to the masthead server name (or ālast fallback relayā defined in the masthead via BESAdmin). To completely prevent that, either block the access to the Root server via firewall, or add a HOSTS file entries on the clients to direct the masthead name back to the IP address of one of the local relays.
Minimizing the traffic on the local network
Once you have the right clients connected to the right relays, thereās more you can do to reduce the amount of traffic used by those clients.
Throttle the traffic used by the client or relay for posting upstream:
_BESRelay_PostFile_ThrottleKBPS
_BESClient_UploadManager_ThrottleKBPS
_BESRelay_UploadManager_ThrottleKBPS
Throttle the bandwidth the relay allows the clients to use for downloads:
_BESGather_Download_LimitBytesPerSecond
_BESRelay_HTTPServer_ThrottleKBPS
_BESClient_Download_LimitBytesPerSecond
Iād generally avoid all the āDynamicā throttles.
At the cost of the clients being less responsive to new content or actions, you could disable the Relay from notifying them about new content. The clients would only download new actions/fixlets when they poll for updates - either during the Relay Select interval or a Command Polling interval
_Enterprise Server_ClientRegister_DisableChildUDPMessages
_BESClient_Comm_ListenEnable
(If you set those, youād probable want to enable Command Polling as well)
_BESClient_Comm_CommandPollEnable
_BESClient_Comm_CommandPollIntervalSeconds
You could also reduce the frequency at which these clients post new reports. For instance instead of updating āLast Report Timeā every minute, maybe increase it to ten minutes, or even an hour if you donāt need to see action results quickly:
_BESClient_Report_MinimumInterval
You could also configure the clients to āgo to sleepā for periods so they donāt Gather, Report, or run Actions for some timeā¦see these settings and the various associated timer settings
_BESClient_Resource_PowerSaveDeepSleepEnable
_BESClient_Resource_PowerSaveEnable