Manual key exchange
If an agent does not have a certificate and can only reach an authenticating relay on the network, connected through the internet, you can manually run the following command on the agent so it can perform the key exchange with an authenticating relay:
BESClient -register <password> [http://<relay>:52311]
The client
includes the password in its key exchange with the authenticating relay, which verifies
it before forwarding the key exchange to its parent. Another way to perform a manual registration to an authenticating relay is
by setting a value to the client setting _BESClient_SecureRegistration
. The value
specifies the password needed to perform a manual registration to the authenticating relay. This
setting is read only at client startup time. You can specify the relay in the
clientsettings.cfg configuration file. For more information about this
configuration file, see Windows Clients.
You can configure the password on the relay as:
- A single password in the client setting
_BESRelay_Comm_KeyExchangePassword
on the relay. - A newline-delimited list of one-time passwords stored in a file named
KeyExchangePasswords
in the relay storage directory (value StoragePath ofHKEY\SOFTWARE\WOW6432Node\BigFix\Enterprise Server\GlobalOptions
).
Note: You can use only passwords that have ASCII characters and not passwords containing
non-ASCII characters.