Relay Affiliation Issue

eromero.rotech · August 3, 2018, 5:47pm

What are we doing wrong? (we would like to learn from this…)

We made, uploaded and pushed out a relay affiliation csv file (through the Policy - Relay Affiliation Seeklist and UNCPath fixlet) and it worked perfectly for the first batch we did (about 6 of our locations) but doesn’t work as well with the rest of our locations, when we pushed it out the second time around. The first time we pushed that file we got three settings (_BESClient_Register_Affiliation_Seeklist, BESClient_RelaySelect_FailoverRelay & Location By Subnet) to populate automatically with the information provided in the file.

We have tried emulating what we did in the first place and pushing the file out to different locations one at a time (as a test) and still can’t get it to work. I will include an example on how we are configuring the file:

Subnet Address,Friendly Name,Seeklist,Relay Affiliation List
SubnetIP,Location#,RelayHostname;Tier1,RelayIP;Tier1IP1;Tier1IP2;Tier1IP3

We have tested different theories, looked at blog posts and even your Youtube channel (IBM Security).

We would like to see if we’re missing a step or if the file is not configured correctly, so we can get our relays affiliated automatically.

Please find below the relevance, action script and success criteria performed by this fixlet.

Let me know if you require further information, thanks!

Relevance:
((not exists operating system whose(name of it starts with “Win2”)) AND (version of client >= “9.2”)) AND (not exists relay service)

Action Script:
// Set the Client Affilication Setting based on Subnet
parameter “SeekList”="{(tuple string item 2 of (concatenation “, " of (substrings separated by “,” of (lines of file “SubLocation.txt” of (client folder of site whose (Name of it = “actionsite”))) whose (it as string starts with (registration subnet address of client as string)))))}”
//if { value of setting “_BESClient_ComputerType” of client as string = “Laptop”} then
If {if exist setting “_BESClient_ComputerType” of client then value of setting “_BESClient_ComputerType” of client as string = “Laptop” else False}
setting “_BESClient_Register_Affiliation_SeekList”="{parameter “SeekList”}" on “{now}” for client
setting “_BESClient_Comm_CommandPollEnable”=“1” on “{now}” for client
else
setting “_BESClient_Register_Affiliation_SeekList”="{parameter “SeekList”}" on “{now}” for client
endif
setting “_BESClient_Comm_CommandPollIntervalSeconds”=“300” on “{now}” for client
setting “__RelaySelect_Automatic”=“1” on “{now}” for client
// Set the Client Location Setting based on Subnet
setting “Location By Subnet”="{(tuple string item 0 of (concatenation “, " of (substrings separated by “,” of (lines of file “SubLocation.txt” of (client folder of site whose (Name of it = “actionsite”))) whose (it as string starts with (registration subnet address of client as string)))))}” on “{now}” for client
//setting “OU”="{(tuple string item 3 of (concatenation “, " of (substrings separated by “,” of (lines of file “SubLocation.txt” of (client folder of site whose (Name of it = “actionsite”))) whose (it as string starts with (registration subnet address of client as string)))))}” on “{now}” for client
parameter “FailoverRelayList”="{(tuple string item 3 of (concatenation ", " of (substrings separated by “,” of (lines of file “SubLocation.txt” of (client folder of site whose (Name of it = “actionsite”))) whose (it as string starts with (registration subnet address of client as string)))))}“
setting “_BESClient_RelaySelect_FailoverRelay”={parameter “FailoverRelayList”} on “{now}” for client
//parameter “UNCPATH”=”{(tuple string item 4 of (concatenation “, " of (substrings separated by “,” of (lines of file “SubLocation.txt” of (client folder of site whose (Name of it = “actionsite”))) whose (it as string starts with (registration subnet address of client as string)))))}”
//setting “_UNCPATH”={parameter “UNCPATH”} on “{now}” for client
relay select

Success Criteria:
not exists setting “_BESClient_Register_Affiliation_SeekList” of client[Less]

cmcannady · August 4, 2018, 4:52pm

Have you pulled back the BESClient logs on working vs. non-working endpoints to determine if the Action Script is running as expected?

My suspicion is that one of the commands reading from the “SubLocation.txt” file is your culprit, but without BESClient log details it’s hard to be definitive.

Also, I would be inclined to add some additional code to your Action Script in key areas (i.e. reading from the SubLocation.txt file) and output those details to a log file for review via temporary analysis, etc.

Out of curiosity, does your enterprise maintain Active Directory site details for each physical location where you’re managing BESRelays and endpoints? If so, you could more easily utilize that AD property for the AdvertismentList and SeekList setting propagation for your BESRelay and BESClient endpoints respectively.

eromero.rotech · August 6, 2018, 4:24pm

I re-ran the action script and it failed in all the computers I pushed the txt file to. Here’s the error I get from the logs:

Command failed (Relevance substitution failed) parameter “SeekList”="{(tuple string item 2 of (concatenation “, " of (substrings separated by “,” of (lines of file “SubLocation.txt” of (client folder of site whose (Name of it = “actionsite”))) whose (it as string starts with (registration subnet address of client as string)))))}” (action:7167)

We do keep a an AD attribute with the location information, but it’s kept on users attribute not computers. Let me know if what you’re indicating can still be done in this scenario, thanks!

JasonWalker · August 6, 2018, 4:52pm

There are several potential places this could fail. The easiest way to debug is to use the Fixlet Debugger on one of the failed endpoints, or use BFQuery (through the WebUI or RESTAPI) to query the individual clauses on the endpoint.

Some potential issues I see -
registration subnet address of client may not give a result if the system has more than 4 IP interfaces (a limitation of the inspector)

file “SubLocation.txt” will fail if the file doesn’t exist (unlikely)

lines of file “SubLocation.txt may fail if the file is locked for reading by any other process (you could use locked lines of file instead if all of your clients are of a high enough version to have that inspector)

The file could be missing the line corresponding to the subnet on which you are searching.
The file could have a syntax issue such that tuple string items does not evaluate (like a comma without a space after it.)

I think these last two are the most likely.

eromero.rotech · August 7, 2018, 4:17pm

Now it’s working! Thanks for all your help!