move bigfix server behind balanced address

We have a bigfix envirenment already working with only one server as root server and relay. We need to move the server behind a balanced address for security issues, we assume that is not possible to change the name in the masthead. we need to know best practises to do that, until now i tried to change registry key in client server and also to add some redirect lines in hosts file of the client… but no results.

I think you’d need to explain a bit more about what you’re trying to do. Are you still going to have only a single root server behind a load-balanced address? How would that work?

Ok, i’ll try to go deeper. We will have still one bigfix server but it will be behind a balancer, just to avoid target server to point directly the bigfix server… this is mandatory in our company because we (they) don’t want servers from different environment (develop, test, prod) to go directly to a Prod server(bigfix server).
So we put in the middle a balancer in the “service network” which simply redirect to the bigfix server. Now we are trying to assure the comunication between target servers with BES Client and the address exposed by the balancer.
target server now pointing to http://bigfixserver:52311 must point to https://loadbalanceraddress:52311
if you ping now loadbalanceraddress you will have a different IP address than bigfixserver but behind the balancer wil redirect to the same IP of bigfixserver

I don’t think there is a supported configuration for that scenario, and hence no published guide. In short it will be up to you to understand the traffic requirements and be sure your load balancer / proxy can accommodate it, and if it causes problems with the network connectivity we may not be able to help you.

Be sure to read through the network traffic guide at BigFix Network Traffic Guide - Customer Support . There are communications initiated in both directions - the root server will create downward notifications on 52311/tcp to Relays and 52311/udp to any directly-connected Clients to notify them of new content.

You should also read up on the “DMZ Relay” configuration, as that might be useful in shaping some of the traffic connections.

Also ensure that your load balancer is not attempting to replace the BigFix certificates / decrypt the TLS traffic. That’s a configuration I know doesn’t work, because the certificate trust is tied to the licensing and masthead file.

Is your concern related to clients reaching out directly to the BES Root server or related to other services(APIs, web reports ?).
If this is about clients, why don’t you force your agents to only use the relay?
You could edit your masthead and add the last fallback relay setting to it, and then have your bes root server behind that balancer in a hidden mode that only the relay can talk to it.
All your clients could come through the relay and you can update the name of the relay as your installation/license is not tied to it.

This post could give you some ideas.

1 Like

Thanks to all for your answers… some update.
Now we tried a configuration with last fallback set to the balanced address which redirect to Bigfix server. All client has manual setting of relays… all pointing for primary and secondary to a relay that have the service relay stopped. In this configuration all clients go directly only on last fallback… as we need.
The only problem is that target do not get any action from Bigfix server unless we restart the agent, probably because targets are not getting the UDP notifications from the BigFix infrastructure. Now i’m trying to enable command polling on all devices… to make sure that is a problem of UDP communication. Do you think that put a relay behind the balancer will solve it… or do you have any idea to bypss this problem? Thanks a lot