Authenticating relays
BigFix deployments with internet-facing relays that are not configured as authenticating are prone to security threats.
Security threats, in this context, might mean unauthorized access to the relays and any content or actions, and download packages associated with them or to the Relay Diagnostics page that might contain sensitive information (for example, software, vulnerability information, and passwords).
You can configure relays as authenticating
to authenticate the agents. This way, only
trusted agents can gather site content or post reports. Use an authenticating relay configuration
for an internet-facing relays in the DMZ. A relay configured to authenticate agents only performs
TLS communication with child agents or relays that present a TLS certificate issued and signed by
the server during a key exchange.
How to enable relay authentication
- On the BES Support website, find the BES Client Settings: Enable Relay authentication Fixlet.
- Run the Fixlet and wait for the action to finish.
_BESRelay_Comm_Authenticating
configuration setting also. The
default value of the setting is 0
which indicates that the relay
authentication is disabled; to enable the authentication, set the value to
1
. For more details, see Authentication.These settings must not be set on the BigFix root servers.
By default, every client re-registers with its parent relay once every six hours. Existing clients cannot send reports until they re-register themselves with the relay.