BigFix 7.0 introduces a new feature called BigFix Relay affiliation that is intended to provide a more sophisticated control system for automatic relay selection. The feature is very flexible and may be used in many different ways but the primary use case is to allow the BigFix infrastructure to be segmented into separate logical groups. A set of BigFix Clients and BigFix Relays can be put into the same affiliation group such that the BigFix Clients will only attempt to select the BigFix Relays in their affiliation group.
This article assumes you are familiar with the automatic relay selection process (more info). The BigFix Relay affiliation feature is built on top of automatic relay selection and you should understand this process prior to implementing BigFix Relay affiliation.
BigFix Relay affiliation only applies to the automatic relay selection process. The manual relay selection process is unaffected even if computers are put into BigFix Relay affiliation groups.
BigFix Clients are assigned to one or more relay affiliation groups through the BigFix Client setting:
This BigFix Client setting should be set to a semi-colon (;) delimited list of relay affiliation groups.
BigFix Relays and BigFix Servers can be assigned to one or more relay affiliation groups through the BigFix Client setting:
This BigFix Client setting should also be set to a semi-colon (;) delimited list of relay affiliation groups.
Note: BigFix Relays and BigFix Servers do not need to be assigned a _BESClient_Register_Affiliation_SeekList. The SeekList is only used by the BigFix Client and BigFix Clients on BigFix Relays are limited to only use manual relay selection.
There are no pre-defined relay affiliation group names, you are free to pick group names that are logical to your deployment of BigFix. You should not use special characters when picking names, group names are not case sensitive, and leading and trailing whitespaces are removed. The ordering of relay affiliation groups is important for the BigFix Client. The ’*’ symbol does have a special meaning in a relay affiliation list and represents the set of unaffiliated computers. Unaffiliated computers are BigFix Clients or BigFix Relays which do not have any relay affiliation group assignments or also have the ’*’ group listing.
Once a BigFix Client has been assigned a list of one or more relay affiliation groups, it will use these groups whenever automatic relay selection is performed. The BigFix Client will run the full automatic relay selection process for each relay affiliation group it is a member of in the order that they appear in the relay affiliation group list. For example, if the BigFix Client is assigned to ’AsiaPacific;Americas;DMZ’ the BigFix Client would run the full automatic relay selection process against all BigFix Relays in the Asia Pacific groups, than restart the automatic relay selection process and run it against all BigFix Relays in the Americas group, and finally reset and try again for the DMZ group. If the BigFix Client is unable to find any BigFix Relay in this process it will consider the automatic relay selection process a failure and follow its failover process. During failover it tries the assigned failover BigFix Relays and if those fail it givers up until it reaches its relay selection retry interval.
If no relay affiliation groups have been assigned to the BigFix Client, it will select from BigFix Relays that also have no assignment and BigFix Relays that have been assigned to the ’*’ group. Similarly, if the ’*’ group is assigned to the BigFix Client it will attempt to find BigFix Relays unaffiliated group. The ’*’ group assignment would be used on BigFix Clients when you want to set up a priority system where the BigFix Client first tries to find BigFix Relays in specific relay affiliation groups prior to trying a larger bank of unassigned BigFix Relays. An example relay affiliation list would look like ’AsiaPacific;DMZ;*’.
Pre-7.0 BigFix Clients will attempt to autoselect to all BigFix Relays in the unaffiliated group (BigFix Relays without any affiliation assignment and BigFix Relays assigned to the ’*’ group). The BigFix Client log contains details about the BigFix Relay affiliation process and can be used for troubleshooting.
BigFix Relays themselves do not use automatic relay selection when deciding which parent BigFix Relay or BigFix Server to use so the BigFix Relay affiliation process does not apply when BigFix Relays pick their parent. BigFix Relays will use the standard manual relay selection and failover behavior.
However, BigFix Relays do need to be assigned to belong to a BigFix Relay affiliation group in order for BigFix Clients in that group to autoselect to the BigFix Relay. BigFix Relays can belong to multiple affiliation groups but the ordering does not matter like it does for the BigFix Clients.
If you assign a BigFix Relay an affiliation group list without a ’*’ member that will hide the BigFix Relay from all 7.0 BigFix Clients except the BigFix Clients with the corresponding affiliation groups. If you assign a BigFix Relay to the ’*’ group it may be selected by BigFix Clients without any affiliation groups and BigFix Client that are in the ’*’ group.
After being assigned to a new affiliation group, an additional action must be taken by a master BigFix Console operator before BigFix Clients will be aware of the assignment. This can be a blank action. The BigFix Console creates a file called Relays.dat which contains the BigFix Relays and their affiliation groups that the BigFix Clients use during automatic relay selection. The Relays.dat file is not updated until the BigFix Relay reports that it is a member of the relay affiliation group and an action is taken by the master BigFix Console operator.
Fig. 1 BigFix Relay Affiliation
Please refer to the BigFix Relay Affiliation diagram in Fig. 1. In this example, Workstation and Server computers are separated by geographical regions (Americas and AsiaPacific) and will only select the BigFix Relay in their region.
Laptops on the other hand could move between these geographical regions or they could connect over a VPN to a BigFix Relay in the DMZ. To accommodate these mobile computers, they are put into a DMZ affiliation group so they will attempt to find the DMZ BigFix Relay when connecting over a VPN. They are also put into the unaffiliated group (the * group) so they can find any of the local BigFix Relays when the laptop goes into an office and joins a LAN. The LAN BigFix Relays also need to include the unaffiliated group so that the laptops can find them.
The BigFix Relay in the DMZ is only assigned to the DMZ affiliation group so that only BigFix Clients connecting over the VPN will attempt to use the BigFix Relay.
The Main BigFix Server is put into the unaffiliated group to serve as a failover point and to service new BigFix Clients which have not been added to any affiliation groups.
This simple example illustrates basic usage of the BES Relay affiliation groups but the feature can easily be expanded to fulfill the diverse requirements of much larger and more complex enterprise deployments.