Switching mastheads - where am I going wrong?

Usage and Config Platform
1

(imported topic written by rad.ricka91)

I’m switching mastheads using the Task 200 “Switch BES Client Action Site masthead”.

The client relays are set to manual and at the time of switch I’m adding two new ones by inserting the URLs directly into the action script.

When the client runs the action, everything happens ok and it tries to connect to the new relay, connects, registers and resets its Client ID.

At that point the relay settings get wiped from the registry and it can no longer connect as it can’t see the BES server directly.

Any ideas? Anybody seen this before?

R.

2

(imported comment written by jessewk)

Rad,

That would be the expected behavior. When a client notices that it has been switched to a new server, it completely resets itself. The relay settings you added would be considered part of the settings for the old deployment and would thus be wiped when the client registers with the new server.

-Jesse

1 Like
3

(imported comment written by rad.ricka91)

Jesse,

yes I can see why this would happend, but I think it’s a gap in the swtichover process. You’re likely to have quite a few deployments where clients can’t see the BES Server directly and can get access only through a relay.

If the clients behave as you describe during a masthead switchover that the whole disaster recovery model in an event of site certificate compromise breaks down.

I actually think this is quite serious from a compliance point of view.

Regards,

R.

1 Like
4

(imported comment written by Doug_Coburn)

Rad,

If you take a look at the task for switching the masthead it looks like it blanks out the Relay Servers manually.

setting “__RelayServer1”="" on “{parameter “action issue date” of action}” for client

setting “__RelayServer2”="" on “{parameter “action issue date” of action}” for client

Try making a copy of the task and replace the “” with “http://relayname:52311/bfmirror/downloads/” and see if that works for you.

Doug

1 Like
5

(imported comment written by BenKus)

Hey Rad,

As Jesse mentioned, the BES Client does a “hard reset” when it notices the masthead changes, which includes throwing away its relay settings (which is done by design because the old relay is now invalid).

You are correct that this is potentially problematic for computers without direct access to the BES Server (although we tend to look at it from the viewpoint of a deployment complication as opposed to a compliance issue because it is a restriction of the network that requires extra attention the same way it did during initial installation). In either case, the solution proposed by Doug unfortunately will not work because the BES Client will do a hard reset, which will throw away the values after it restarts.

To fix this issue, we can try to trick the BES Client into doing a “soft reset”, which will not wipe the BES Relay settings. To do this, we can modify the “Switch BES Relay” task to do the following:

  1. Switch the mastheads (as it does now)

  2. Add a step to delete the BES Client ComputerID at “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions”. You can use the action from Task #220 to delete the computerID and some other values, which will help avoid potential errors.

  3. Remove the step where it resets the relays (or point the relays somewhere else).

  4. Stop the BES Client.

  5. Delete the __BESData folder.

  6. Start the BES Client.

Note that steps 4-6 need to be done in a batch script because the client can’t delete the folders while it is running.

This will effectively make the client forget that it was a part of the previous deployment so it won’t need to do a hard reset.

We will follow up with you to make sure that we get this working.

Ben

1 Like
6

(imported comment written by rad.ricka91)

Ben,

it’s interesting, I’m doing exactly what you’ve suggested, however the besclientsetup.exe fails to replace the

“ActionMasthead” and “GatherUrl” in HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions, so the net result is that the client will register with the new server, realize that it doesn’t have the right url and masthead and fail.

I tired jacking the GatherUrl and the Masthead into the action, but I’ve clearly hit a a limit on the textual size of the action - the masthead is just too large and things start to break in places (like the editor windows, guess that’s down to the limit of the text box form control and then when running the action). So this approach didn’t work.

I’d be more interested in finding out why the GatherUrl and Masthead don’t get replaced in the registry when running the besclientsetup.exe command - I thought that would’ve done the trick.

R.

<–action script–>

action parameter query “Relay1” with description “Please enter the IP address for the first relay:”

action parameter query “Relay2” with description “Please enter the IP address for the second relay:”

download http://127.0.0.1:52311/masthead/masthead.afxm

copy “__Download\masthead.afxm” “masthead.afxm”

dos besclientsetup.exe masthead.afxm

regdelete "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions

" “ReportSequenceNumber”

regdelete "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions

" “RegCount”

regdelete "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions

" “ComputerID”

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client__Relay_Control_RootServer

" “value”=“http://{parameter “Relay1” of action}:52311/cgi-bin/bfgather.exe/actionsite”

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client__RelayServer1

" “value”=“http://{parameter “Relay1” of action}:52311/cgi-bin/bfgather.exe/actionsite”

regset "

HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client__RelayServer2

" “value”=“http://{parameter “Relay2” of action}:52311/cgi-bin/bfgather.exe/actionsite”

delete __appendfile

appendfile net stop besclient

appendfile rd “{pathname of parent folder of regapp “besclient.exe” & “__BESData”}” /Q /S

appendfile net start besclient

copy __appendfile C:\restart.bat

run C:\restart.bat

<–action script -->

7

(imported comment written by BenKus)

Hey Rad,

Did you make a custom copy of the Task? If so, you moved it out of the “BES Support” site and so it is probably failing to run besclientsetup.exe because it isn’t in the local path.

Change this line:

dos besclientsetup.exe masthead.afxm

to

dos “{pathname of client folder of site “BESSupport”}\besclientsetup.exe” masthead.afxm

See if that works.

Ben