Relay Autoselection Woes

Hi All,

We are setting up a new BigFix 9.5.6 system, with the master server hosted on an AWS VPC, along with the Top Level Relay, which also acts as the Internet relay. The Big Fix master server is reachable by the clients from the internal network, but not from the Internet for security. There are also sub level relays in each of the geographies we support, all pointing to the Top Level relay. We do have a (very) mobile workforce equipped with laptops.

We have been attempting to use relay autoselection, but this is failing once the laptops are placed on the Internet with the General Transport Failure error. On the Internal network all works correctly.

What is confusing us is that if we set up _BESClient_RelaySelect_TertiaryRelayList with full list of relays, the Internet one being last in the list it works as intended, switching relays seamlessly as we move between internal networks and the Internet (in conjunction with setting
_BESClient_RelaySelect_Always_OnIPListChange=1 as we did for autoselection)

We have also tried hardcoding the Internet relay in _BESClient_RelaySelect_FailoverRelay but that did not work for us either. I must note that at all times we could successfully connect to the Internet relay by URL using a browser. The Firewalls/AWS security groups are configured to allow ICMP pass-through to the relay, which we have tested and confirmed.

We do need to have relay autoselection working to save complexity, as we have a fast growing number of geographies and offices to support by rolling out more relays. Would setting up Fake Root to the Top Level relay help here? Or have we hit an issue with automatic relay selection?

Relay Autoselection requires ICMP protocols are available. That’s simple enough when you control the network, but once you toss the Internet into the mix, forget it.

You need to use the FailoverRelay or FailoverRelayList setting’s.

When the client fails to find a Relay via the Automatic selection process, it will use the FailoverRelay.

I haven’t tried using the FailoverRelayList setting yet. I currently use the FailoverRelay setting in combination with some relevance with the ComputerID to spread remote computers across several servers in our DMZ.

I’ll dig up the Relevance I used. If I remember correctly, you can’t just specify the Computer Name, you need to use a complete URL. (http://servername:port/bfmirror/downloads/)

FailoverRelayList looks like it uses just the server names.

I’m using FailoverRelayList heavily and it seems to be working well for me. Depending on where my client is, it may only be able to reach one out of twenty relays. I’ve put all of the relays in to the failover relay list using a client settings file during installation, before they client has a relays.dat and cannot do auto select.

Here’s an example of spreading machines across 2 Relays for the _BESClient_RelaySelect_FailoverRelay setting.

item 1 of item 1 of (computer id mod 2, (0,"http://Relay1.fqdn:52311/bfmirror/downloads/"; 1,"http://Relay2.fqdn:52311/bfmirror/downloads/")) whose (item 0 of it = item 0 of item 1 of it)