Relays in DMZ
Starting from Patch 13, the capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).
In an environment where a relay in DMZ reports to a parent relay within its intranet network, it can be assumed that all communications between intranet and DMZ pass through a firewall that does not allow any upstream communication. In this case, any attempt for the child relay in the DMZ to initiate communication with its parent relay will fail.
This restriction is overcome by establishing a persistent TCP connection between the parent relay and its child relay inside the DMZ. The persistent connection is always initiated by the parent relay. The communication cannot be initiated by the child relay due to network restrictions.
Overview
The following picture displays the persistent TCP connection established between parent relay and child relay:
- In green: The persistent TCP connection established between the parent relay located in the more secure zone and the child relay located in the demilitarized zone.
- In yellow and black: The line of the demilitarized zone (DMZ network).
Enabling persistent connections on both parent and child relay
On a child relay where the BigFix client was not registered on the BigFix server yet
- Log in to the BigFix Console.
- Run the
Relays in DMZ: Enable Parent Relay and set Child Relay List
Fixlet on the parent relay computer:Note: Before running the Fixlet, you must specify in the text field of the Description tab the list of child relays allowed. - Manually install the BigFix client on the child computer. For more details, see Installing the client manually.
- Manually install the BigFix relay on
the child computer by downloading the appropriate package depending on your operating system from
the following web site: http://support.bigfix.com/bes/release/Note: In a typical scenario, run the Fixlet first on the parent relay and then manually configure the child relay.
- On the child computer, ensure that the client and relay processes are stopped.
- On a Windows child relay, add the
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Settings\Client\_BESRelay_DMZ_ChildEnable
key to the Windows registry and set its string REG_SZ value to 1. - On a Linux child relay, if the besclient.config file does not already exist, make a copy of the
file named besclient.config.default located in the /var/opt/BESClient/ directory and rename it into
besclient.config. Manually edit the besclient.config by adding the following new
section:
[Software\BigFix\EnterpriseClient\Settings\Client\_BESRelay_DMZ_ChildEnable] value = 1
- Restart first the relay process.
- At least one minute after restarting the relay process, restart the client process.
On a child relay where the BigFix client was already registered on the BigFix server
- Log in to the BigFix Console.
- Run the
Relays in DMZ: Enable Parent Relay and set Child Relay List
Fixlet on the parent relay computer:Note: Before running the Fixlet, you must specify in the text field of the Description tab the list of child relays allowed. - Run the
Relays in DMZ: Enable Child Relay
Fixlet on the child relay computer:Note: In a typical scenario, run the Fixlet first on the parent relay and then on the child relay. - Both Fixlets will restart the relay process.
Establishing a persistent connection
The parent relay will try to open a socket to the child relay at port 52311.
The child relay can "grab" the socket used by the parent to communicate with it and keep it alive by sending ping messages periodically. At the same time, the child relay will start to listen on a different port such as 52312 only on its loopback address, this will be used to forward all the traffic through the socket opened by the parent that was previously grabbed.
All requests coming to the child relay that must be propagated upstream (for example during the registration of a client below the child relay or for reporting purposes) will be internally routed to the loopback address to be sent to the parent relay within the intranet.
Communicating on the persistent connection
To achieve the requirement, the parent relay initiates a communication with its own child relay and keeps the connection standing and persistent to, later on, use it from the child relay to the parent relay when upstream communication is needed by the child relay.
Managing persistent connections
You can manage the Relays in DMZ persistent connections by configuring a few settings. For details, see Relays in DMZ.