UDP Randon Ports for Besclient - other than port 52311 - Does anyone know why

I am showing random UDP ports for the Besclient.exe other than port 52311. I even turned off UDP using the below settings and I still have this issue on both Windows and Linux. Does anyone know why and if there is a way to shut that off?

BESClient_Comm_ListenEnable

When set to 0 the TEM Client will not listen for
UDP messages. If the TEM Client does not receive UDP messages it will not
receive gather pings sent from the TEM Server notifying the TEM Client of new
actions and content.

The log should indicate that it isn’t using the 52311 port anymore when you turn it off. Other ports may be used (DNS etc) but the agent doesn’t actively open a port for listening.

What does your monitoring showing?

When I run netstat -anob , I see on the BigFix server . UDP, 127.0.0.1:49632 BESClient.exe. Port 52311 is not showing as I have turned this off with the client setting command.

I am looking at wireshark and I see on an endpoint UDP from the bigfix server on port 53046 to 52311.

So making this setting is not going to stop the server from trying to message the client, it just stops the client from listening

1 Like

That is true. However I have a customer that has many endpoints and I set the setting to not listen to UDP port on those endpoints and yet many of them are listening on 127.0.0.1:60701 and 49632 , etc. It is only on address 127.0.0.1 and no other such as 0.0.0.0. or IPV4.

Those are ephemeral ports and it could be for multiple reasons (DNS or other functionality within the client)

1 Like

Thanks for the explanation. After review of ephemeral ports , it makes since.

So why are you trying to stop the client from listening to UDP?

This particular customer has a a secure network with 4 layers of firewalls which they thought that UDP was allowed at the lower layers but in testing it was not. So we went to command polling which solved the communications latency. the reason for trying to remove the UDP Besclient.exe listening port was there is a list of approved service,port,protocol that we had to add this random UDP port range for compliance.compare which is the list is one line per port so the list is quite long, over 100,000 and more and growing.

There are only 65,535 UDP ports in existence so if your listing is over 100,000 lines you have a problem.

Do you understand that every connection has both a source port and a destination port?

The BES Server/Relay will send UDP messages from an incrementing ephemeral source port on the server/relay, to a destination of port 52311 at the client. Generally when building firewall rules you need only specify the destination port.

For instance, to allow DNS traffic, you’d only add rules for udp/53 and tcp/53 - the DNS destination port - not separate listings for the 16,000 or so source ports the clients may use when sending a query.

2 Likes

sorry I was not more specific, the services, ports and protocol are not just for the BigFix , this includes all the other applications such as DNS, and many others, and it is not just UDP but TCP as well. Yes I understand source and destination communications, what I did not know was the ephemeral ports.