TEM deployment customized for roaming laptops

(imported topic written by EspenD)

We have a standard TEM-deployment being used mainly for servers in our datacenters and client PCs in customer LANs. (Communication via default port 52311 etc). It works well, and has been an extremely reliable service since we introduced it back in 2008.

We are now considering a completely separate TEM installation primarely for roaming laptops. Planned basic changes from a standard installation are:

  1. Changing the default port to 80 or 443 for communication with agents (avoiding opening port 52311)

  2. Reduce the client default polling interval from 24 hours to 30 mins (avoiding requirement to open incoming ports in fw)

  3. Use Message Level Encryption (to secure the content of messages being passed via Internet)

It would be very interesting to get some comments and suggestions on this. (I realize we lose the concept of easy deployment of relays because of possible conflict with webservers).

(imported comment written by SystemAdmin)

EspenD wrote:

We are now considering a completely separate TEM installation primarely for roaming laptops. Planned basic changes from a standard installation are:

  1. Changing the default port to 80 or 443 for communication with agents (avoiding opening port 52311)
  1. Reduce the client default polling interval from 24 hours to 30 mins (avoiding requirement to open incoming ports in fw)
  1. Use Message Level Encryption (to secure the content of messages being passed via Internet)
  1. In theory is should be possible to use TCP 80 for communication between the TEM Clients and TEM Server/Relay. However, I have seen mixed results from some customers when this was attempted.

Observation and Question: TCP 80 is one of the most hack-attempted ports. So why not open TCP 52311 as it is definitely a non-standard TCP port?

  1. Instead of changing the default polling interval, have you considered using the Command Polling client settings? Check out Legacy Communities - IBM TechXchange Community and look for the _BESClient_Comm_CommandPollEnable and _BESClient_Comm_CommandPollIntervalSeconds settings.

(imported comment written by EspenD)

Thank you for your comments!

  1. The main reason I would like to use port 80 or 443 is that a roaming laptop user some of the time will be connected via a FW I have no way to control (guest networks, hotels etc.)

  2. Yes that was what I meant by “reduce the client polling interval”.

Best regards,

Espen

(imported comment written by SystemAdmin)

There are a few things to be concerned with regarding your plan.

  1. Our services will work on any ports you’d like to specify as long as it’s not currently being used. We try to avoid port 80 and 443 due to web servers and the assumption of http functionality. Others may have additional details on why you should avoid these ports.

  2. This is one of the recommended things to change when sending endpoints to the internet. In the BES Support site task #688 is the task you’d use to change this. I’d recommend setting the command polling value to 60min or greater. Setting anythign lower than 20min will cause performance issues and is not recommended. See http://www-01.ibm.com/support/docview.wss?uid=swg21505846 for additional info on this.

  3. Message Level Encryption relates to content being passed from endpoints->relays->root server. It does not encrypt the content going downstream. IE: root server->relays->endpoints. Therefore you should be aware that anybody will be able to access the content of your deployment. For example this (http://bigfix.me:52311/cgi-bin/bfgather.exe/CustomSite_BigFix_Dashboard) is from my personal lab DMZ server. Drilling down you will eventually find the code for fixlets within that site. So be sure to follow best practices when it comes to passwords and the like.

(imported comment written by EspenD)

Thank you for your reply!

  1. I understand that using port 80 or 443 would complicate selecting the right relays within a BigFix-framework. I think however that the use of relays would be of limited use anyway to roaming users - they will by default be “on their own”. (For a corporate network, WAN - and many other use cases - relays are of great value).

We (the service provider) would need to have a few dedicated and powerful relays in our own DMZ, but these would probably be handling the endpoints directly.

If I could decide how this should work I would have 52311 as the primary default port, but switching to 80 when 52311 is not available. Like Primary and secondary relay AND ports.

  1. ok, thanks. One observation, when notificatiosn/UDP doesn’t work: If a user calls in about something and excpect something to happen on their laptop shortly after the call, even 5 minutes is to long to wait. I have seen some solutions cheking in every 30 or 90 seconds, but they do not scale well.

I have been thinking of having a local application simply restarting the BES-service when told to do so by the user. This functionality may already be in there hiding somewhere :slight_smile:


How would IBM go about to do this should they decide to TEM/BigFix as a Cloud service? I have seen other Enterprise-solutions using non standard ports for good reasons, but they do thend to change them to 80/443 when being “Cloud”-services to avoid implementation hassles.

Or maybe this isn’t a problem at all, and port 52311 TCP outgoing would normally be open i most networks by default? (Maybe we just had some bad luck?)

Kind Regards,

Espen Dahl

(imported comment written by SystemAdmin)

EspenD wrote:

(…snip)

If I could decide how this should work I would have 52311 as the primary default port, but switching to 80 when 52311 is not available. Like Primary and secondary relay AND ports.

I do not believe it is possible to “switch” the TCP/UDP port of an Endpoint Manager server/relay at run time. The relays determine on which TCP port to listen based on the masthead file of the deployment, and the clients determine which TCP port to use when they “phone home” based on the masthead too. So the TCP port selected during the installation will be for the whole deployment, not dynamic at runtime.

How would IBM go about to do this should they decide to TEM/BigFix as a Cloud service? I have seen other Enterprise-solutions using non standard ports for good reasons, but they do thend to change them to 80/443 when being “Cloud”-services to avoid implementation hassles.

The current technological implementation does not really support using Endpoint Manager in a cluster/cloud environment.

Or maybe this isn’t a problem at all, and port 52311 TCP outgoing would normally be open in most networks by default? (Maybe we just had some bad luck?)

Most home WiFi routers allow all outbound connections to occur without any problems. It is those environments that proxy everything (e.g., corporate guest networks) where we usually encounter challenges.

(imported comment written by EspenD)

I tried to reinstall the TEM-server in my lab at home (win 2008R2 and TEM 8,2). The TEM-installer wouldn’t accept any server port below 1024. Maybe it could be changed later, but the installer refused to proceed.

(imported comment written by PeterLoer)

Hi Espen,

I’ll send you an email with details on how to get around that restriction.

cheers,

peter

(imported comment written by SystemAdmin)

PeterLoer wrote:

(…snip)

I’ll send you an email with details on how to get around that restriction.

Peter, it would be good to send this information to the internal tech list so that everyone has this information in their bag 'O tricks.

  • Chris

(imported comment written by SystemAdmin)

Okay, I see that you anticipated my request and already did so.

Thanks!

(imported comment written by EspenD)

Great, that worked. Thank you!

Best regards,

Espen

(imported comment written by SystemAdmin)

EspenD wrote:

  1. Use Message Level Encryption (to secure the content of messages being passed via Internet)

Message Level Encryption (MLE) does incur additional overhead as the TEM Server/Relay will need to decrypt all incoming messages. Have you looked at the TEM Server System requirements to spec. out appropriate hardware? Check out http://www-01.ibm.com/support/docview.wss?uid=swg21505691 and go to the bottom of the article.