Public-Facing Relay Setup - Security Concern and Registration Issue

adeilson · October 15, 2024, 6:39pm

Hello everyone,

I’m seeking some guidance regarding an issue with our recent BigFix setup. Here’s the situation:

We’ve implemented an internet-facing relay, meaning it has a public DNS that can be reached by any computer worldwide. However, instead of placing the relay in a DMZ, it’s hosted in Azure. The child relay communicates with its parent relay over public IP addresses — both the child and parent relays have public IPs and are communicating in this manner.

To enhance security, I’ve set up authentication and configured a password that clients must use to connect. However, I noticed that anyone, whether inside or outside our organization, can execute a simple telnet relaydns.company.com 52311 and connect to the relay’s port. Is this behavior expected? Shouldn’t there be some sort of access restriction, or am I missing something in my configuration?

Additionally, when clients attempt to register with the relay, they encounter the following logs:

RegisterOnce: Attempting secure registration with ’
https://updateserver.example.com:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.12.60&Body=XXXXXXX&SequenceNumber=XXXX&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&MinHops=12&MaxHops=22&Root=http://servername.example.com%3A52311&AdapterInfo=XX-XX-XX-XX-XX-XX_XXX.XX.XXX.0%2FXX_XXX.XX.XXX.X_0&AdapterInfo=XX-XX-XX-XX-XX-XX_XXX.XXX.XXX.0%2FXX_XXX.XXX.XXX.X_0’
At 14:29:50 -0300 -
RegisterOnce: GetURL failed - General transport failure. - BAD SERVERNAME (winsock error 4294967290 - registration url -
http://updateserver.example.com:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=10.0.12.60&Body=XXXXXXX&SequenceNumber=XXXX&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&MinHops=12&MaxHops=22&Root=http://servername.example.com%3A52311&AdapterInfo=XX-XX-XX-XX-XX-XX_XXX.XX.XXX.0%2FXX_XXX.XX.XXX.X_0&AdapterInfo=XX-XX-XX-XX-XX-XX_XXX.XXX.XXX.0%2FXX_XXX.XXX.XXX.X_0’

Has anyone experienced a similar issue with secure registration failure or open ports like this in a public-facing relay setup? Any suggestions on how to tighten security while maintaining proper communication between relays would be highly appreciated. Also, can I be sure that computers over the internet will only attempt to register using https?

Thanks in advance for your help!