Upgrade problems in a firewalled environment

I run multilple Linux BigFix clients in a tightly firewalled environment.
My firewall admin has provided access to two Relay hosts, but not to the BigFix server itself.

When we received the last update, something happened to the besclient.config file on my servers. The info about the Relay hosts was lost. The client attempted to access the BigFix main server (which does not have the BigFix port opened for my clients), and appears to just “sit and spin” (continue to fail). Indicates that it is attempting to reach the BigFix console server, and has no info about the relay hosts.

I’ve manually edited the Relay info to put it back into prior configuration (when besclient was stopped), and appear to have these clients back in contact with relays (and showing in the BigFix console as back in contact with server… and a “ghost” of server still existing from prior version).

Can someone confirm that my clients must have access to BigFix console host, or that there may be an option missed when the “actionsite.afxm” file was created for my systems.


By default:
When the client is installed, it has no knowledge of the relay architecture and will default to contacting the BES Root Server (listed in the masthead file, actionsite.afxm). After contacting the root server and receiving the Master Action Site, it uses the newly-downloaded relays.dat file to locate a closer relay.

Reference the settings at https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Configuration%20Settings

You can precreate the besclient.config before installing the RPM on Linux, or create a setup.cfg file in the same directory as setup.exe for Windows clients. Any of the listed settings can be applied at that time. Some settings of interest:

  • a list of alternate relays to contact instead of contacting a Root Server. Useful at initial install, or when no relays are reachable via ICMP. Both Manual and Automatic Relay Select depend on the client being able to ping a relay. If the client cannot ping any relay, it would default to contacting the Root Server. This setting overrides to contact a specified list of Relays rather than the Root Server.

    Specify Relays for the client to use at installation time. These should be reachable via ICMP and the BES port (default 52311/tcp)