Best practices to consider when defining a proxy connection in V9.0 and V9.1
Consider the following tips and tricks to avoid common problems:
- Starting from version 9.0 the use of the BESGather service is
deprecated. However if you use it, ensure that you define the user
account exploited by your proxy configuration as follows:
- Provision a single user account that has both domain administrator and local administrator rights to the IBM Endpoint Manager server machine.
- Reason: The BESRootServer.exe process needs to have local administrator rights to the server machine to properly propagate site content from the database to the server's file system. The BESRootServer.exe needs to have domain administrator rights to negotiate all the LDAP transactions between the console and Active Directory to authenticate users.
- Ensure that the user account also has permission to make requests through the proxy to the Internet as a service account.
- Reason: The BESRootServer.exe service gathers the site content from public content and site servers.
- Ensure that the user has Database Owner (DBO) rights to the BFEnterprise database.
- Reason: The user needs to access the BFEnteprise and BESReporting databases as owner with DBO rights.
- After you set the communication through the proxy on a Windows server, use the IBM Endpoint Manager Diagnostic Tools to verify that the server, still reported as BESGatherService, can successfully reach the Internet.
- Check the GatherDB.log file that is in the BES Server\GatherDBData folder to verify that the server can gather from the Internet.
- Check in the firewall rules if any file types are blocked. In this case, if the content to gather from a site contains at least one file with this file type, then the entire content of that site is not gathered.
- Ensure that the password specified in ProxyPass on the server, or in _Enterprise Server_ClientRegister_ProxyPass on the client or relay did not expire.
- Make sure that the proxy allows the downloading of arbitrary files from the Internet (for example, it does not block .exe downloads or does not block files with unknown extensions).
- Most of files in IBM Endpoint Manager are downloaded from bigfix.com or microsoft.com using HTTP port 80, but it is recommended that you allow the proxy service to download from any location using HTTP, HTTPS, or FTP because there are some downloads that use these protocols.
- On Windows systems, verify whether Internet Explorer can reach the Internet using the credentials that are specified in the IBM Endpoint Manager proxy configuration, and test the connectivity with the esync.bigfix.com servers (for example, http://esync.bigfix.com/cgi-bin/bfgather/bessupport).
- Make sure that the proxy is bypassed for internal network and component-to-component communications because this might cause problems with how the IBM Endpoint Manager server works and is inefficient for the proxy. Use the ProxyExceptionList setting, if needed, to exclude local systems from the communication through the proxy.
- The setting ProxyExceptionList was introduced in IBM Endpoint Manager version 9.0.835.0 for Windows and Linux systems. If you are using IBM Endpoint Manager version 9.0 and you have problems using content that downloads files from the local server, upgrade to IBM Endpoint Manager version 9.0.835.0 or later.
- On the IBM Endpoint Manager server installed on a Linux system, at runtime the client configuration file is read before the server configuration file. Ensure that you update common settings on both components to avoid conflicts.
- By default the HTTP and HTTPS connections time out after 10 seconds, DNS resolution time included. When this happens the HTTP 28 error is logged. In your environment, if the proxy server or the DNS server takes a longer time to establish the TCP connection, you can increase the number of seconds before the connection times out by editing the setting _HTTPRequestSender_Connect_TimeoutSeconds. The _HTTPRequestSender_Connect_TimeoutSeconds setting affects all the IBM Endpoint Manager, including the Console and the Client, running on the machine for which this setting is set. No other IBM Endpoint Manager component running on other machines in the deployment is affected by the setting. As a best practice, be careful when increasing the value of this setting and try to keep it as low as possible to avoid opening too many sockets concurrently risking socket exhaustion and eventual loss of service.