Question about clientsettings.cfg and ip address of the relay

(imported topic written by KimberlyNNH91)


I am new to Bigfix and have a few questions.

Our main BES server is BESMain and is controlled by the home office, our computers should connect to the local relay - ip address (for example), named BESLocal. When I look in the registry, HKLM\Software\BigFix\ClientComplianceAPI and HKLM\Software\BigFix\EnterpriseClient\GlobalOptions I don’t see any reference to BESLocal, just BESMain.

Originally we did not have a clientsettings.cfg file but just created one : IP:

I uninstalled and then reinstalled with the new clientsettings.cfg in the install folder and nothing changed.

Questions: should the registry point to the BESLocal?

What is the point of the clientsettings.cfg?

If the clientsettings.cfg is needed, is there any way to update the installs I have already done?

Thank you!

(imported comment written by BenKus)

Hi Kimberly,

You probably don’t need clientsettings.cfg because you can simply turn on “automatic relay selection” for your agents as a policy:

The agents will then figure out which relay they should report to on their own…

To check to see which relay the agent is using, you can look in the BigFix Console “Computers” tab and look at the “relay” column. Alternately, you can look on any client at “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client__RelayServer1”

If you are interested in background reading, you can check out:


(imported comment written by KimberlyNNH91)

I checked in “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client__RelayServer1” and am pointing to the correct relay.

One other quick queston. The home office said - on our relay server - that we need to add the TCP and UCP ports for BigFix and add their server IP address. To me it makes more sense to add those ports for my subnet so my computers can talk to my relay.

Thank you for the great info!

(imported comment written by tratz91)


  1. You are using the standard BigFix (52311) and Microsoft SQL Server (1433) ports.

  2. You house your BigFix database(s) on your Root Servers and use DAS for replication.

Connectivity Requirements (as I understand them):

Allow 52311/TCP from all Root Servers to all Relays

Allow 52311/TCP from all Relays to all Root Servers

Allow 52311/TCP from all Clients to all Root Servers and all Relays*

Allow 52311/UDP from all Root Servers* and all Relays to all Clients

Allow ICMP from all Clients to all Root Servers* and all Relays

Allow 52311/TCP from all Consoles to all Root Servers

Allow 1433/TCP from all Consoles to all Root Servers

Allow 1433/TCP from all Root Servers to all Root Servers

Allow 80/TCP from all Root Servers to the Internet**

  • My recommednation differs from the documented BigFix Traffic Guide ( a bit, but it is more “friendly” for situations where all Relays are unavailable but at least one Root Server remains available. The image in BigFix’s Traffic Guide appears to assume there is always at least one Relay available at all times. This may not always be the case. Technically speaking, every Client should already have awareness of at least one Root server in the event a Relay cannot be contacted, so ICMP from Clients to Root Servers is not really needed. I prefer, however, to be able to retain the ability to ping Root Servers from Clients.

  • A defined list of destinations can be used instead of “the Internet”, but you will need to include ALL potential update repositories and keep up with changes vendors can (and do) make at any time.

Managing access by subnet is definitely an option; you just have to determine what is best for your envrionment. The BigFix Traffic Guide is posted at:

I hope this helps. Ben or others may have more or better advice to offer.