(imported topic written by Joe.Holder91)
Hi
it is necessary for us to have the agents wake up to perform new actions.
My understanding was that this is acheived via a UDP message sent over port 52311 between the last relay and the client.
My understanding was that prior to this the ‘wake up/send refresh’ message was sent tcp-ip between the big fix server and the 1st level relays.
This meant that although it did not work through NAT it could still get to the last relay before UDP and so you could have NAT at other parts of your network.
However it now looks like having NAT anywhere on the relay hierarchy stops the ‘send refresh’ from happening.
Is this the case?
thanks
Joe
(imported comment written by SystemAdmin)
Hi Joe,
It’s UDP all the way from the BES Server to the BES Relays to the BES Clients. It is possible to get UDP through the NAT though, you just need to install a BES Relay behind the NAT and allow TCP/UDP on port 52311 to the BES Relay. You can also forward all UDP on that port to the BES Relay if that helps. This way all the BES Clients talk with the BES Relay on the other side of the NAT and the BES Relay is the only computer that needs to get UDP through the NAT.
If you are still unable to get it working you can increase the BES Client polling interval and have them check upstream for updates more frequently.
Also, to clarify, the BES Clients are active all the time, the UDP message simply inform them that there is new data available and then the BES Client attempts to use TCP to the BES Relay to gather that new data. The client will run actions and gather upstream periodically even if no UDP is ever received.
Tyler
(imported comment written by Joe.Holder91)
Hi Tyler
Thanks for the reply. I’m confused by you’re saying that the UDP is ok if we have one relay behind NAT. That is what we have.
BigFixServer -> relay 1 -|netscreen firewall with NAT |->|firewall with no NAT| relay 2 -> |firewall with no NAT| ->BES client.
Originally we tried going from BigFix server -> relay 1-> BES Client but as this didn’t work and we read this article
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=173
it seemed to us NAT was the problem.
So on the (turns out to be wrong) assumption that it was only UDP from the parent relay to the client we change the route to go to a 2nd relay nearer the Client.
I am still waiting for the firewall between relay 1 and relay 2 to be opened for UDP (currently just for TCP) and will test it as soon as that is done.
However based on our experience with relay 1 -> client (when firewall was allowing UDP between these two) I expect the NAT to mean this doesn’t work. Isn’t that what the article says? (Note these are netscreen firewalls doing the NAT not checkpoint which have the feature that Rad found that allowed this to work).
Joe
(imported comment written by BenKus)
Hey Joe,
Tyler mispoke… The Relays don’t send UDP to each other. Instead the relays/server have two-way TCP connections with each other, see here for info to hopefully explain everything:
http://support.bigfix.com/bes/misc/networktraffic.html
In order for the send-refresh to work properly with your firewalls, the following must be open:
TCP 52311: Server -> Relay1 -> Relay2
UDP 52311: Relay2 -> Client
In addition, you will need TCP 52311 open from Client -> Relay2 -> Relay1 -> Server, but I expect that is already working otherwise the agent would have never reported.
So perhaps you don’t have two-way TCP enabled between the relays/server and that is the cause of the issue?
Ben
1 Like