Synchronization with BigFix Server

LarryE · July 13, 2017, 2:50pm

I have a BigFix server/console on Windows 2008 Server running under a VMWARE guest. I don’t seem to be having issues getting BigFix clients on Windows systems to synch and communicate with it. I do seem to be having an issue with a RHEL 7 system where I have installed a BigFix client. I can ping the ip addresses successfully from each to each other. However, my BigFix log appears to indicate a synch failure and indicates that in the url it is for some reason replacing the hostname or ip address of my BigFix server with the loopback adapter 127.0.0.1. I’m not a networking expert, but I’m sensing that this is where the problem lies because it is not getting out of the RHEL environment due to the loopback.

Anyone ever face this issue or have any suggestions on how to deal with it?

fermt · July 13, 2017, 4:59pm

Has the RHEL Server running a local firewall? I’ve seen similar behaviors before and most of them are because the OS firewall is enabled and it’s blocking the communication with the relay/BES.

LarryE · July 13, 2017, 5:08pm

Yes, it does run the firewall that comes with RHEL. I AM able to ping my BigFix server from this RHEL environment. Wouldn’t the firewall prevent that also? Do you happen to know where I can find documentation on what exactly must be set up in the firewall of a BigFix client/agent? Or do you happen to have specific knowledge of what must be set up?

fermt · July 13, 2017, 5:17pm

Take a look at this link:

http://www-01.ibm.com/support/docview.wss?uid=swg21505811

If you want to understand the complete network flow of BigFix environment, I highly recommend reading the following:

https://www.ibm.com/developerworks/community/wikis/home/wiki/Tivoli%20Endpoint%20Manager/page/Network%20Traffic%20Guide

Manish · July 13, 2017, 8:26pm

Check if the 52311 (Bi-directional) port is opened from source to destination server.

LarryE · July 13, 2017, 8:35pm

This port is open on the destination (BigFix server) side. Does it need to be open on the client/agent side also?

Manish · July 13, 2017, 8:38pm

Yes, also port need to be opened from client side

JasonWalker · July 14, 2017, 9:20pm

Is the Red Hat system running a Relay as well, or only the client? If this host is a Relay that would explain the loopback addresses in the log file.

52311/tcp should be opened bidirectional between relays and the server, but is only needed outbound from the client to the relay or root server. 52311/udp inbound on the client from the relay/server is not required, but is very helpful for getting faster notifications of new content or actions (if the udp inbound cannot be enabled, look up the topics on “Command Polling” here in the forum.)

LarryE · July 18, 2017, 5:41pm

No relay. Can anyone possibly provide instructions on how to enable 52311 from the firewall that comes with RHEL? It’s not as simple as the Windows firewalls I’m used to dealing with. I have 52311 enable for what is called on the machine the “public zone”. But there are a whole host of other “zones” on the firewall.

LarryE · July 19, 2017, 2:42pm

Here is a copy of the log file from the RHEL client:

Current Date: July 18, 2017
Client version 9.5.5.196 built for RedHat 6 x86_64 running on sysname:Linux release:3.10.0-327.el7.x86_64 arch:x86_64
Current Balance Settings: Use CPU: True Entitlement: 0 WorkIdle: 10 SleepIdle: 480
Locale: LC_ALL="" LC_CTYPE="" LC_MESSAGES="" LANG="en_US.UTF-8"
ICU 54.1 init status: SUCCESS
Agent internal character set: UTF-8
ICU report character set: UTF-8 - Transcoding Disabled
ICU fxf character set: windows-1252 (Latin 1 / Western European) - Transcoding Enabled
ICU local character set: UTF-8 - Transcoding Disabled
At 14:13:23 -0400 -
Unrestricted mode
At 14:13:24 -0400 -
Configuring listener without wake-on-lan
Registered with url 'https://127.0.0.1:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=RegisterMe60&ClientVersion=9.5.5.196&Body=1090754&SequenceNumber=49097&MinRelayVersion=7.1.1.0&CanHandleMVPings=1&Root=http://WIN-OVKOHD3HPQQ%3A52311&AdapterInfo=08-94-ef-06-db-48_10.100.0.0%2F16_10.100.100.100_0&AdapterInfo=52-54-00-c4-c1-9f_192.168.122.0%2F24_192.168.122.1_0&AdapterIpv6=08-94-ef-06-db-48^fe80%3A%3A6c2c%3A4cab%3Adeed%3A273%2F64_0’
Registration Server version 9.2.8.74 , Relay version 9.2.8.74
Relay does not require authentication.
Failed automatic client authentication key exchange with server message: There’s already a public key associated with that id

fermt · July 20, 2017, 1:37pm

Are you using the same masthead of the original installation of your BigFix Server?
It’s also possible the file got corrupted when moving to the server.