BES Relay Affiliation

Introduction


BES 7.0 introduces a new feature called BES Relay affiliation that is intended to provide a more sophisticated control system for automatic relay selection. The feature is very flexible and may be used in many different ways but the primary use case is to allow the BES infrastructure to be segmented into separate logical groups. A set of BES Clients and BES Relays can be put into the same affiliation group such that the BES Clients will only attempt to select the BES Relays in their affiliation group.


This article assumes you are familiar with the automatic relay selection process (more info). The BES Relay affiliation feature is built on top of automatic relay selection and you should understand this process prior to implementing BES Relay affiliation.


BES Relay affiliation only applies to the automatic relay selection process. The manual relay selection process is unaffected even if computers are put into BES Relay affiliation groups.

Creating BES Relay Affiliation Groups


BES Clients
BES Clients are assigned to one or more relay affiliation groups through the BES Client setting:
_BESClient_Register_Affiliation_SeekList

This BES Client setting should be set to a semi-colon (;) delimited list of relay affiliation groups.
Example: AsiaPacific;Americas;DMZ


BES Relays and BES Servers
BES Relays and BES Servers can be assigned to one or more relay affiliation groups through the BES Client setting:
_BESRelay_Register_Affiliation_AdvertisementList

This BES Client setting should also be set to a semi-colon (;) delimited list of relay affiliation groups.
Example: AsiaPacific;DMZ;*

Note: BES Relays and BES Servers do not need to be assigned a _BESClient_Register_Affiliation_SeekList. The SeekList is only used by the BES Client and BES Clients on BES Relays are limited to only use manual relay selection.


BES Relay Affiliation List Information

There are no pre-defined relay affiliation group names, you are free to pick group names that are logical to your deployment of BES. You should not use special characters when picking names, group names are not case sensitive, and leading and trailing whitespaces are removed. The ordering of relay affiliation groups is important for the BES Client. The ’*’ symbol does have a special meaning in a relay affiliation list and represents the set of unaffiliated computers. Unaffiliated computers are BES Clients or BES Relays which do not have any relay affiliation group assignments or also have the ’*’ group listing.

Technical Details


BES Client Behavior

Once a BES Client has been assigned a list of one or more relay affiliation groups, it will use these groups whenever automatic relay selection is performed. The BES Client will run the full automatic relay selection process for each relay affiliation group it is a member of in the order that they appear in the relay affiliation group list. For example, if the BES Client is assigned to ’AsiaPacific;Americas;DMZ’ the BES Client would run the full automatic relay selection process against all BES Relays in the Asia Pacific groups, than restart the automatic relay selection process and run it against all BES Relays in the Americas group, and finally reset and try again for the DMZ group. If the BES Client is unable to find any BES Relay in this process it will consider the automatic relay selection process a failure and follow its failover process. During failover it tries the assigned failover BES Relays and if those fail it givers up until it reaches its relay selection retry interval.

If no relay affiliation groups have been assigned to the BES Client, it will select from BES Relays that also have no assignment and BES Relays that have been assigned to the ’*’ group. Similarly, if the ’*’ group is assigned to the BES Client it will attempt to find BES Relays unaffiliated group. The ’*’ group assignment would be used on BES Clients when you want to set up a priority system where the BES Client first tries to find BES Relays in specific relay affiliation groups prior to trying a larger bank of unassigned BES Relays. An example relay affiliation list would look like ’AsiaPacific;DMZ;*’.

Pre-7.0 BES Clients will attempt to autoselect to all BES Relays in the unaffiliated group (BES Relays without any affiliation assignment and BES Relays assigned to the ’*’ group). The BES Client log contains details about the BES Relay affiliation process and can be used for troubleshooting.


BES Relay Behavior

BES Relays themselves do not use automatic relay selection when deciding which parent BES Relay or BES Server to use so the BES Relay affiliation process does not apply when BES Relays pick their parent. BES Relays will use the standard manual relay selection and failover behavior.

However, BES Relays do need to be assigned to belong to a BES Relay affiliation group in order for BES Clients in that group to autoselect to the BES Relay. BES Relays can belong to multiple affiliation groups but the ordering does not matter like it does for the BES Clients.

If you assign a BES Relay an affiliation group list without a ’*’ member that will hide the BES Relay from all 7.0 BES Clients except the BES Clients with the corresponding affiliation groups. If you assign a BES Relay to the ’*’ group it may be selected by BES Clients without any affiliation groups and BES Client that are in the ’*’ group.

After being assigned to a new affiliation group, an additional action must be taken by a master BES Console operator before BES Clients will be aware of the assignment. This can be a blank action. The BES Console creates a file called Relays.dat which contains the BES Relays and their affiliation groups that the BES Clients use during automatic relay selection. The Relays.dat file is not updated until the BES Relay reports that it is a member of the relay affiliation group and an action is taken by the master BES Console operator.

Example BES Relay Affiliation


Please refer to the BES Relay Affiliation diagram above. In this example, Workstation and Server computers are separated by geographical regions (Americas and AsiaPacific) and will only select the BES Relay in their region.

Laptops on the other hand could move between these geographical regions or they could connect over a VPN to a BES Relay in the DMZ. To accommodate these mobile computers, they are put into a DMZ affiliation group so they will attempt to find the DMZ BES Relay when connecting over a VPN. They are also put into the unaffiliated group (the * group) so they can find any of the local BES Relays when the laptop goes into an office and joins a LAN. The LAN BES Relays also need to include the unaffiliated group so that the laptops can find them.

The BES Relay in the DMZ is only assigned to the DMZ affiliation group so that only BES Clients connecting over the VPN will attempt to use the BES Relay.

The Main BES Server is put into the unaffiliated group to serve as a failover point and to service new BES Clients which have not been added to any affiliation groups.

This simple example illustrates basic usage of the BES Relay affiliation groups but the feature can easily be expanded to fulfill the diverse requirements of much larger and more complex enterprise deployments.