Response time (relay to relay)

I have an authenticating relay in my DMZ and a relay onsite at a remote location. Inbound TCP/UDP 52311 is being blocked at that remote location. I’ve enabled command polling and set it to 900 sec on the relay at the remote site. Most of the time this is adequate. However, there are times where i want quicker responses (ie. lock/unlock computer). Is there anything i can do in this setup to speed up the communication?

Thank you!

I would highly recommend looking at Persistent Connections for the site-level BESRelay. There’s also this wiki document on BESRelays in the DMZ that should be helpful.

Thanks @cmcannady, I took a look at the first link you provided and used the included fixlet to enable persistent connection on the relay in the dmz. However, the provided fixlet “Persistent Connection: enable Client” is not relevant on the relay at the remote site. I also took a look at the second link you provided and am not sure that is applicable to my setup. I created a network diagram (mostly borrowed from here http://support.bigfix.com/bes/misc/internetrelay.html) to help me think thru this - the red arrow is where traffic is being blocked. Would the relay in the remote site be the parent and the relay in the dmz be the child? When i attempted this the relay in the dmz stopped reporting into my bigfix server. I had to go into the registry to disable the setting to get it talking again.

Is removing the relay at the remote site a better option? I could then use the persistent connection setting you linked to with peer nesting? I don’t know much about peer nesting and when it makes sense to use that rather than a relay. I would like to get your thoughts on this approach. Thanks again

In this scenario, I think your best option is a site-to-site VPN between your firewalls allowing the TCP/52311 between relays in both directions; or an IPSec VPN between the two relays directly.

The new “Persistent DMZ Relay” config won’t work because it requires the upstream Relay to establish a persistent connection to the downstream Relay.
The normal “Persistent Connection” config for clients to establish the upstream connection, does not have an effect on Relays themselves.
If there is no downstream connection allowed, Command Polling on the child Relay really is your only option.

PeerNest is only used in file downloads, and reduces your traffic across WAN links by having the clients share downloaded files with each other. The main use is for branch offices or retail outlets that have too few clients to bother with a dedicated Relay at the site, but still want to reduce the WAN bandwidth used.

2 Likes

Jason, thanks for the detailed response. This is very helpful. Thank you!

1 Like