Persistent connections
The capability to establish persistent connections was added to the product.
Clients behind firewall or NAT
Firewalls or NAT might prevent the BigFix Query function from working properly because the UDP notification, with which a parent relay delivers the query to the child clients, cannot usually reach the clients. Unlike other product functions, the BigFix Query cannot take advantage of client polling to overcome this restriction in the downstream communications.
This restriction is overcome by establishing a persistent TCP connection between the parent relay and at least one of its child clients. The persistent connection, which is always initiated by the client, is used by the relay to send UDP notifications to all clients in the same subnet of the persistently connected client (PCC).
Overview
The following picture displays the persistent TCP connection established between client and relay, and the UDP notifications sent from the PCC to other clients of the same subnet:
Enabling persistent connections on the relay
- Log in as a master operator to the BigFix Console.
- Locate and right-click the relay computer. Select Edit Computer Settings...
- Add the following setting to the computer:
_BESRelay_PersistentConnection_Enabled = 1
- Restart the relay process for the setting to become effective.
Enabling persistent connections on the client
- Log in as a master operator to the BigFix Console.
- Locate and right-click the client computer. Select Edit Computer Settings...
- Add the following setting to the
computer:
_BESClient_PersistentConnection_Enabled = 1
Establishing a persistent connection
After being enabled, a persistent TCP connection between a client and its parent relay is normally established at the next registration of the client.
When the next registration occurs, the relay on which the client is registering checks whether the client is eligible to open a persistent connection, based on the overall number of persistent connections that the relay is already handling, and their partition by subnet. If the client is eligible, the relay notifies it accordingly. The client, then, waits for 60 seconds. If the client does not receive a test UDP notification from the relay within this time interval, it eventually opens the persistent connection.
If the client fails when establishing the persistent connection, it will retry opening the persistent connection after 3 minutes, up to a maximum of 4 attempts in total.
The persistent connection can generally be closed and then established again every time the client performs a new registration, provided that all prerequisites are still satisfied. The persistent connection might also terminate when either the client or the relay must handle restart and shutdown operations.
Communicating on the persistent connection
Directly:
If the relay must send a UDP notification to a persistently connected client (PCC), it uses the persistent connection to send it directly to the target client.
Served by another client of the same subnet:
If the relay must send a UDP notification to a client in a subnet served by a PCC, the relay sends the notification and the target client information (hostname/IP address stored during the registration phase) to the PCC. The PCC reads the notification and sends it through UDP to the target client. The target client processes the notification normally, and sends back a reply directly to the relay, as usually. If there is more than one PCC available, within the same subnet, that can serve the client, the relay sends the notification to one PCC only, not to all available PCCs.
Managing persistent connections
You can manage persistent connections by configuring a few settings. For details, see Persistent TCP connections.