Relay Health
Relay Best Practices
BigFix Relays play an important function in your deployment and maintaining proper health will prevent unnecessary issues from occurring. BigFix Relays aggregate gathering and downloading of content as well as report posting. Carefully review this document to ensure you are properly configuring your deployment's Relays.
More information on BigFix Relays can be found in Managing relays.
- Ensure all internet-facing Relays are not allowing unsecured access (HTTP) from anyone
- Ensure all BigFix Clients are reporting to a Relay
- Ensure BigFix Clients are reporting to an intended nearby relay
- Ensure there are <5000 Clients reporting to any individual relay
- Ensure a minimal number of tiers in the relay hierarchy
- Use redundant relays or Peer-to-peer mode in parts of the network with slow WAN connections
Internet-facing BigFix Relays are properly secured
Description
Putting a BigFix Relay in the DMZ is the proper way to manage laptops even when they are outside the corporate network, but additional security considerations should be made when doing so. Ensure Internet-facing BigFix Relays are configured to use Authenticating relays and have the Relay Diagnostics page password-protected or disabled. This configuration prevents unauthorized access to the internet-facing Relay and any of the download packages and content/actions on the Relay that may contain sensitive company information (e.g. software, vulnerability info, passwords, etc). When a Relay is authenticating, only your BigFix Clients can connect to it and they will use TLS (HTTPS) communication for all BigFix traffic. It also prevents unauthorized access to the Relay Diagnostics page which may contain sensitive information.
How to Verify
In order to verify Relay Authentication, view Task: BES Client Setting: Enable Relay Authentication (ID #1297) in the BigFix Console. Any relays that are still relevant to this task are not authenticating. Deploy this task to any internet-facing Relays that are still applicable.
In order to verify Relay Diagnostics configuration, click the Computers node in the BigFix Console and view the Client Settings of any internet-facing relays to see if the appropriate Relay Diagnostics settings are set. Use the Edit Settings option to change values, as needed.
How to Troubleshoot Issues
Use Edit Settings and/or the Enable Relay Authentication task for each internet-facing Relay to adjust the configuration, as needed.
All BigFix Clients are using a BigFix Relay
Description
BigFix Clients must connect to either the BigFix Server or a BigFix Relay to gather the latest information about Fixlets and actions, download files, and post their information. In most deployments of BigFix, especially mid to large deployments, it is recommended that all the BigFix Clients use a BigFix Relay instead of using the BigFix Server. This tends to lead to better performance because the BigFix Clients can get the latest actions and download files faster and as a result, you see the BigFix Client action status update quickly. If some BigFix Clients are using the BigFix Server instead of a BigFix Relay, it is not necessarily a problem, but it is recommended that as few BigFix Clients report directly to the BigFix Server as possible to free up the BigFix Server for other tasks.
How to Verify
The easiest way to verify which BigFix Clients are using BigFix Relays is to use the Relay column in the BigFix Console. Look in the BigFix Console under the "Computers" tab. On the left, expand the "By Retrieved Properties" section and expand the "By Relay" filter (if you don't see the "By Relay" filter, right-click on the column headings and make sure "Relay" is checked). This will show you the breakdown of where the BigFix Clients are currently reporting. A healthy deployment will have very few computers reporting to the DNS name of the BigFix Server (except the BigFix Relays).
Note: The Primary BigFix Relay and Secondary BigFix Relay show which BigFix Relays the BigFix Clients are supposed to choose if they are set to manual relay selection and the "Relay" column shows which BigFix Relay the BigFix Client currently has selected.
How to Troubleshoot Issues
- The BigFix Clients are set to manual BigFix Relay selection and no BigFix Relay is currently set.
- The BigFix Clients cannot resolve the BigFix Relay's DNS name.
- The BigFix Clients cannot contact the BigFix Relay because of NATs or firewalls.
- The BigFix Relay is not working properly.
BigFix Clients are using a nearby BigFix Relay
Description
One of the primary benefits of BigFix Relays is that they can server as "distribution points" for large files, such as patches or applications. This ability allows for greatly reduced network usage especially across slow WAN pipes (the files are distributed to the BigFix Relay across the WAN and distributed from the BigFix Relay to the BigFix Clients locally). However, BigFix Clients must be properly set up to use the local BigFix Relay, otherwise, you will use more WAN bandwidth than necessary. You can set BigFix Clients to either automatically find their closest BigFix Relay based on network hops or manually select a BigFix Relay for BigFix Clients. In general, automatic BigFix Relay selection is suggested because it simplifies administration.
How to Verify
- The BigFix Clients will return the number of hops to the BigFix Relay that it is using (this will work only if the BigFix Client is using automatic relay selection). You can view these values in the BigFix Console or in a report to help determine if the BigFix Clients are choosing appropriate BigFix Relays. Look at the "Distance to BigFix Relay" retrieved property in your BigFix Console to view this information.
- Use the Task: BES Client Setting Relay Selection Controls (ID #154) to manage ICMP settings used for automatic relay selection.
- Using the BigFix Console or a report, you can view which BigFix Relays the BigFix Clients are using in each subnet or in each location. See Viewing which relay is assigned to a client. This will give you a good idea if any BigFix Clients are using the wrong BigFix Relays because the BigFix Clients in each location should usually all be using the same BigFix Relay(s). To view this information in the BigFix Console, filter "By Location" or "By Subnet" and then look at "By Relay" for each subnet/location to see the BigFix Relay distribution.
How to Troubleshoot Issues
- If the BigFix Clients are not using a particular BigFix Relay, try the suggestions listed at BigFix Clients not choosing their specified BigFix Relay.
- If the BigFix Clients are using automatic selection and you believe they are incorrectly choosing the wrong BigFix Relay, you might was to do a "tracert" from the BigFix Client to the BigFix Relay because there might be additional network hops that you were not aware of.
- If it appears that only a few BigFix Clients that are using automatic selection are choosing a non-optimal BigFix Relay, you can prompt them to immediately choose a new BigFix Relay (by default they will attempt to find a better BigFix Relay every 6 hours) by sending them a custom action with the action command relay select.
There are fewer than 5000 BigFix Clients using any BigFix Relay
Description
One of the main benefits of BigFix Relays is that they act as distribution points for files so that the main BigFix Server does not have to provide the file to each BigFix Client, but if there are too many BigFix Clients pointing at any single BigFix Relay, the BigFix Relay will become swamped when an action is sent out (especially if the file is large). This will cause actions to take longer to deploy while the BigFix Clients are waiting to get the files from the BigFix Relays. In most deployments, an optimal number of BigFix Clients reporting to each BigFix Relay is around 1000. Using recommendations from the Capacity Planning Guide, Relays can support up to 5000 Clients. Relays will still function beyond these limits, but responsiveness of Clients reporting to such Relays will be impacted.
How to Verify
In the BigFix Console, expand the Computers node and expand the By Retrieved Properties > By Relay filter. This will list each BigFix Relay that is being used along with how many BigFix Clients are reporting to each BigFix Relay. Alternatively, look at the Relay Health Dashboard under Dashboards > By Site > BES Support.
How to Troubleshoot Issues
If you are using manual relay selection and there are too many BigFix Clients using a BigFix Relay, then you should assign some of your BigFix Clients to a different BigFix Relay to reduce the load. If too many BigFix Clients are using a BigFix Relay and they are set to automatic relay selection, then you can add a BigFix Relay to the same subnet as the other BigFix Relay and the BigFix Clients will automatically distribute themselves among all BigFix Relays the same distance apart. Alternately, you can set BigFix Clients to manually point to a specific BigFix Relay, if necessary.
BigFix Relays all point to the BigFix Server or a top level relay
Description
In most deployments, especially smaller deployments, all BigFix Relays should be manually assigned to point directly back to the BigFix Server. Alternately, if there are many BigFix Relays, it is a good idea to have one or more BigFix Relay designated as a "top level" BigFix Relay and all the other BigFix Relays can point directly to the top level BigFix Relay. Note that unless there is a compelling network bandwidth limitation, it is generally better to have as few levels to the BigFix Relay as possible because each level introduces a little bit of latency for the BigFix Client reporting. BigFix Relays should not use automatic BigFix Relay selection.
How to Verify
In the BigFix Console, click on the Computers tab and expand the By Retrieved Properties > By Relay Installed > Yes > By Relay filter. This will list the BigFix Relays the each of the BigFix Relays are using. Alternatively, look at the Relay Health Dashboard under Dashboards > By Site > BES Support to view the relay hierarchy.
How to Troubleshoot Issues
If the BigFix Relay hierarchy is not set properly, set the BigFix Relays to all manually point to a top level BigFix Relay or the main BigFix Server.
Redundant BigFix Relays are set up for slow WAN pipes
Description
Putting a BigFix Relay in each location with a slow WAN link is vital to save bandwidth; however, if the BigFix Relay computer is turned off, crashes, loses network connectivity, or for any reason is inaccessible, then the BigFix Clients will attempt to find their next closest BigFix Relay and if this occurs during an action push, you will potentially overwhelm the WAN pipe. One way to reduce the risk of this is to set up redundant BigFix Relays in each location that is connected over a slow WAN pipe. In this case, if one BigFix Relay goes down, the other local BigFix Relay will be used by the BigFix Clients. Alternatively, starting in BigFix 9.5.11, peer to peer mode can be used to allow BigFix clients to share downloads with each other without pulling directly from a Relay. In this configuration, if a Relay is not available or is turned off, one Client in the subnet will request the download from an upstream Relay and share it with other Clients on the subnet.
How to Verify
In order to verify this, you will need a subnet property or location property setup that will allow you to get an idea of the location of the BigFix Relays. You will also need to know which subnets/location are connected through a slow pipe. With this information, you can open the BigFix Console, click on the Computers tab and expand the By Retrieved Properties > By Relay Installed > Yes > By Location/BySubnet filter. This will show how many BigFix Relays are in each location. In order to use peer to peer mode, see Working with PeerNest and configure the endpoints accordingly.
How to Troubleshoot Issues
You will need to add redundant BigFix Relays as necessary for each location. In the case of a very slow WAN connection, it is recommended to have at least one relay that is not shared by a user, and that would never be turned off. Use tasks "PeerNest: Enable Client" (ID #3664) and "PeerNest: Disable Client" (ID #3661) to enable/disable peer to peer mode on Clients, as needed.