(imported topic written by SystemAdmin)
I’m in the process of setting up a relay on our DMZ so that our laptops can get there BES AntiSpyware definitions without having to be onsite. I know the process for setting it up (article 199) with ports and such. Question is - do I have to manually set the laptops to talk to that specific DMZ relay (perhaps as primary and then the BES server as seconday)? Thanks.
Mike
(imported comment written by jessewk)
Mike,
The answer depends on how you have customized your configuration. If your laptops perform automatic relay selection without a maximum hop count restriction, then they will simply find the relay as long as it responds to pings from external sources.
If you do have hop count or other restrictions, then you may need to build in exceptions so that the BES clients that are off your network have different policies.
Another option is to use the _BESClient_RelaySelect_FailoverRelay setting to provide the DMZ relay as a failover for machines that cannot locate a relay that meets the selection criteria you have defined. However, this might not be appropriate because clients that actually are on your network may also select the DMZ relay when they cannot select a relay.
If you use manual relay selection it will be difficult to properly handle laptops in the field that frequently change locations.
Can you tell us a little more about the relay selection policies you have in place today? That will help provide direction as to an appropriate implementation strategy.
Also, just to be clear, it is common to put a relay in your DMZ. Doing so provides nice end-to-end control of your assets regardless of their physical location. One nice example is the hard drive of a laptop that has been stolen could be remotely erased the first time it comes online.
Jesse
(imported comment written by SystemAdmin)
Thanks Jesse. I use “auto-selection” for my agents. So, then if I understand - the agent will have a list of available relays (provided the laptop is on the network at time that new relay is installed). If a laptop is out of the network, when the new DMZ relay is installed - it won’t know about it until the next time it comes back on the network and gets a relay update, correct? Which is not really a big issue. Our laptops are not usually offsite for very long. Thanks.
Mike
(imported comment written by jessewk)
Mike,
That’s correct. Laptops will receive notification of the new relay the next time they are able to gather the action site. That will occur as soon as they are able to contact an existing relay or the main server.
Just to be clear, have you implemented the_BESClient_RelaySelect_MaximumTTLToPing to setting? If not, no additional changes to your deployment should be necessary.
-Jesse
(imported comment written by SystemAdmin)
From the Internet side - do I need to also allow ICMP to the relay on the DMZ or is just TCP/UDP 52311 inbound/outbound enough?
(imported comment written by SystemAdmin)
Nope - have not implemented that relay setting. Thanks.
(imported comment written by jessewk)
You will need to allow ICMP from the internet to the relay in the DMZ. However, you don’t need to open UDP 52311. UDP messages are typically sent from the relays to notify clients that new actions are available, but there is very little chance that a client on the internet would receive the UDP message. Instead, you rely on the clients periodic self initiated polling to make sure it gathers actions. This poll will happen by default once a day, as well as anytime the client comes online.
It is possible to configure the clients to poll more frequently. In this case, you would want to use 2 dynamic settings that detect the computers is using the DMZ relay and those machines would be switched to a more aggressive polling rate.
In 6.0 the 2 settings would be _BESClient_Comm_CommandPollEnable and _BESClient_Comm_CommandPollIntervalSeconds . I would set the PollInterval to once an hour, which is 3600 seconds. Do not set this value below 900 seconds.
More info is available on advanced settings here: http://support.bigfix.com/bes/misc/besconfigsettings.html
More info on dynamic settings is available here: http://forum.bigfix.com/viewtopic.php?id=100
and here: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=367
and here: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=281
(imported comment written by smbigfixuser)
What if you need to install the BigFix client on a computer that is in the DMZ? We have setup the Relay to communicate to the BigFix server however when you install the client - the client wants to talk to the server first. Is it possible to have it talk to the relay first?
When the client attempts communication to the server it received the following error:
RegisterOnce: GetURL failed.
Some Background:
We are adding a LAN to our network and this lan is currently using a subnet that we use. Until we can readdress the lan we will be putting the lan behind a nat firewall. While the lan is behind the firewall we will be deploying the bigfix client to the computers. We have setup Bigfix to use FQDN and not IP.
(imported comment written by jessewk)
See this KB article: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=244
(imported comment written by smbigfixuser)
Thank you. http://support.bigfix.com/cgi-bin/kbdirect.pl?id=244 worked.
(imported comment written by rdamours91)
Just getting ready to implement a relay in the dmz to support laptops as they go home.
My current implementation has each one of the 200+ sites setup with a task that is run per location that forces the clients into manual relay selection with the primary relay being their relay in that particular subnet. I’m thinking that I can modify that task to make the secondary the relay in the dmz.
In a perfect world I would like the clients to check for their primary relay (in their own subnet) and if that fails revert back to the main BES server. If these 2 relay selections fail then there has probably has been a big fire…or the laptop has been taken off the corporate network.
What is the easiest way for me to accomplish this client configuration…or come close? Can I create some firewall rules to make the dmz unreachable to the clients when they on the internal network? I’m wondering if I can set something up so that only communication is allowed from the Main BES server on the internal network to the dmz. The internet side would allow communication to the dmz from the clients…
(imported comment written by BenKus)
Hi rdamours,
It sounds like you basically want to have the BES Agents run autoselection and if they can’t find anything in 1-2 hops, they can default to a failover relay and then the BES Server…
Setting this up is fairly straightforward:
_BESClient_RelaySelect_MaximumTTLToPing = 4 (don’t send ICMP further than one subnet away)
_BESClient_RelaySelect_IntervalSeconds = 86400 (run autoselection once a day to ensure optimal BES Relay selection)
_BESClient_RelaySelect_ResistFailureIntervalSeconds = 7200 (in the event that the relay appears to be down, wait 2 hours before searching for an alternate)
_BESClient_RelaySelect_MinRetryIntervalSeconds = 7200 (if you can’t find a relay, try again in 2 hours)
_BESClient_RelaySelect_MaxRetryIntervalSeconds = 86400 (if you continue to fail to find a relay, try once a day)
_BESClient_RelaySelect_FailoverRelay = http://DMZRelay:port/bfmirror/downloads/
With this behavior in place, the BES Clients will basically do this:
Note that it would work best if you had an internal failover and a DMZ failover because you tend to want to keep computers from reporting to the main BES Server… You can do this by giving them the same name, or by assigning the DMZ Relay failover setting to only mobile computers.
You can talk to professional services about getting someone onsite to assist you with all this… It shouldn’t take too long to get set up…
Hope that helps,
Ben
(imported comment written by rdamours91)
You are the man Ben…
An internal failover and dmz failover is what I would be after… Would it be as simple as giving the internal failover and DMZ failover the same name? One could be resolved from the internet and the other would only be resolvable internally…
Because our network to all our sites are done withing vpn tunnels coming back to a concentrator…everything is one hop away once you are out of your the subnet. The network is being redesigned with different route metrics…but that will take a while.
(imported comment written by BenKus)
Yes… Using the same name for the internal and external DMZ would simplify the setup, but it would be harder to differentiate which computers are reporting to which relay (because they have the same name).
Ben
(imported comment written by rdamours91)
Is there any retrieved property that you know of, or one that I can create, that can give me the external interface of a home pc’s router. The pc’s internal ip might be a 192 address or some other natted ip.
In the case of a stolen laptop it would be nice to give the ip or some other unique field to police to track the home location from one of our local internet providers. I can still wipe the laptop with the BigFix client but would also like to hunt them down also.
Ran a tracert and piped the output to a file…
q: lines starting with " 2" of file “tracert.txt” of folder “c:”
A: 2 <1 ms <1 ms <1 ms 38.99.32.129
I’ll parse the rest later…
(imported comment written by rdamours91)
Just getting ready to implement the auto relay selection settings…
There is only one setting I’m not so sure about as every subnet is an equal distance away as we go through a vpn concentrator. I would like to keep the ICMP traffic within the subnet and not leave the individual site.
_BESClient_RelaySelect_MaximumTTLToPing = 4 (don’t send ICMP further than one subnet away)
Note sure if this setting will keep the pings from leaving the site…
(imported comment written by BenKus)
Hi rdamours,
The maxTTL setting is a little funky in how it is used because it is implemented as a “<”<=", meaning that if the maxTTL is set to 4, the last packets to be sent will be maxTTL of 3.
So basically:
_BESClient_RelaySelect_MaximumTTLToPing = 2 —> Router in local subnet will see packets with maxTTL of 1 and will not forward the packets.
_BESClient_RelaySelect_MaximumTTLToPing = 3 —> Packet will be forwarded to adjacent subnets.
_BESClient_RelaySelect_MaximumTTLToPing = 4 —> Packet will be forwarded to adjacent subnets and then to adjacent subnets.
So I actually should have said MaxTTL=3 in my previous post, which would forward the packet to adjacent subnets. It sounds like you might want MaxTTL=2 so that you can prevent packets from leaving the local subnet.
Ben
(imported comment written by rdamours91)
Exactly the confirmation I was looking for … I had it set to 2 but wanted to confirm before I implemented.
Once again…thanks dude.
(imported comment written by SystemAdmin)
Has anyone setup any successful “lojack” report and/or task (disk wipe, etc) that could be used in the case of stolen/lost laptops? Trying to get some ideas and see what might be working for people. I have a working relay on the DMZ - so my agents report in off the net. Of course, understandable that whom ever had possesion of the laptop would have been kind enough to not change any system settings before connecting to the Internet - in which the BF agent could phone home. Besides sending them a message to “turn themself in to the authority” - has anyone had any success with recovery or data wipe using BF? Thanks.
Mike
(imported comment written by BenKus)
Once, someone stole one of our new Mac Powerbooks from the car of one of our newer employees… Since we have a DMZ-based relay and there was a Mac BigFix Agent on the computer, we decided to get clever and try to find the person…
So set up a Fixlet that would take pictures using the built-in camera (that faced the user) to secretly take pictures when the computer was on and upload them to the BigFix Server. When we were working on the Fixlet, we saw that the computer reported in a few times, but unfortunately by the time we finished the Fixlet, the computer was no longer reporting in (the thief probably wiped the drive)… we were a little upset that we blew our chance…
Had we caught the person, we contemplated a press release or blog entry or whatever that would have said something like “BigFix tracks down laptop thief using its own software (pictures included)!”… but unfortunately we couldn’t catch the person… Maybe next time…
I have heard other stories about our customers that have been able to track down IP addresses and other info that gave clues about stolen laptops… One company caught a guy who stole a laptop when he brought the computer into one of the company’s offices and they were able to trace the IP and find him.
Ben