How do I use TEM with a proxy?

Technote (troubleshooting)


Problem(Abstract)

There are two Services in TEM that accesses the Internet directly (by default) the BES Gather Service component and the BES Root Server Service component of the TEM Server. This article describes how to configure the BES Gather Service to connect out to the Internet through a proxy.

Resolving the problem

The TEM Windows services automatically run as the Windows LOCAL SYSTEM account, certain proxy or firewall configurations will not allow the BES Gather service or the BES Root Server service to access the Internet.

To give the BES Gather service and BES Root Server service access to the Internet, you will need to have these two Services login to Windows as a user that can access the Internet through the proxy.

Configuring the BES Gather Service and Internet Explorer
To configure the BES Gather Service and the BES Root Server Service to run as a user that can access the Internet, follow these directions on the TEM Server computer (Note: This will work for most proxies, but if your proxy has special requirements, such as only allowing domain users to access the Internet, you will need to talk to your network administrator):

    1. Create a local Windows Administrator account
    2. Log in as the local Windows Administrator account you just created and set up the account to access the Internet
    3. Verify that you can access an external website (i.e. http://www.ibm.com)
    4. Ensure communication to local systems are not forwarded through the proxy server. To exclude local systems, in the Internet Connection settings, go into the proxy settings area and then click the "bypass proxy for local addresses".
      In addition, under the "Advanced" proxy settings, type in the local domains that should not be sent through the proxy server. For example for systems on your foo.com internal company domain, you would put "*.foo.com" and "127.0.0.1" in the "Exclude" box. This will cause requests that are intended for anything.foo.com to be sent directly, rather than through the proxy server. If your system is set up to use an autoconfiguration script, you will need to configure the actual name of the proxy and the port instead of the script.
    5. Go to Control Panel > Administrative Tools > Services
    6. Double click on "BES Gather Service"
    7. Click on the "Log On" account and set the service to log on as the user you just created.
    8. Restart the BES Gather Service
    9. Double click on "BES Root Server Service"
    10. Click on the "Log On" account and set the service to log on as the user you just created.
    11. Restart the BES Root Server Service

Ensuring Chunked Encoded Downloads Work
In additional to the steps above, check that the following client settings are set and configured on the TEM server to ensure chunked encoded downloads work through the proxy and are processed correctly by the services:
    _BESGather_Comm_UseDownloadService
    "value" = "1"

    _BESGather_Comm_UseUrlMoniker
    "value" = "1"

    _BESGather_Download_CheckInternetFlag
    "value"="1"

    GatherService_ForwardGet_UserAgentOverride
    "Value" = {Check with your proxy administrator to see if the proxy only allows traffic from certain specific User Agents. If it doesn't then this setting does not need to be set}

After making the necessary setting changes, restart the BES Root Server and BES Gather services.

Confirming it Works
You can verify that the BES Gather Service can access the Internet by opening up the TEM Diagnostics tool on the TEM Server (Start > All Programs > Tivoli Endpoint Manager > Tivoli Endpoint Manager Diagnostics Tool).

You can verify that the BES Root Server Service can access the Internet by opening the BESRelay.log file located in BES Server folder, for example:

C:\Program Files\BigFix Enterprise\BES Server for 32bit Operating Systems
or
C:\Program Files(x86)\BigFix Enterprise\BES Server for 64bit Operating Systems

Note: If you modify the BES Gather service to run as an account other than the Windows SYSTEM account, several tests in the "Service Permissions" tab of TEM Diagnostics tool may fail. This is a known issue in the TEM Diagnostics tool. You can safely ignore these failures in this case.

Note: You should add *.bigfix.com to your list of trusted sites in Internet Explorer.

You can find additional information regarding proxy configurations for TEM in the following Knowledge Base article: http://www-01.ibm.com/support/docview.wss?uid=swg21505893


Configuring Proxy Settings for an IEM version 9 Server


1. Launch C:\Program Files (x86)\BigFix Enterprise\BES Server>BESAdmin /setproxy /user:AAAA /pass:AAAA and then manually modify the following registry key:

    HKLM\SOFTWARE\BigFix\Enterprise Server\Proxy
    "Proxy"=""
    "ProxyUser"="AAAA"
    "ProxyPass"="ecrypted(AAAA)"
to our enterprise proxy values, where proxy is " http://OUR_PROXY_IP:OUR_PROXY_PORT/"

2. Set the following client settings on the IEM server machine via the IEM Console. Right click on the server machine in the list of computers and select "Edit Computer Settings..." .
    _BESGather_Comm_UseUrlMoniker = 1
    _BESGather_Comm_UseDownloadService = 0
    _Enterprise Server_ClientRegister_ProxyServer = OUR_PROXY_IP
    _Enterprise Server_ClientRegister_ProxyPort = OUR_PROXY_PORT

Configuring Proxy Settings for an IEM Linux Server

Add the following entry:

[Software\BigFix\Enterprise Server\Proxy]
Proxy = [proxyuser:password@]hostname[:port]

Examples depending on your proxy configuration:

[Software\BigFix\Enterprise Server\Proxy]
Proxy = proxyuser:password@hostname:port

[Software\BigFix\Enterprise Server\Proxy]
Proxy = hostname:port

[Software\BigFix\Enterprise Server\Proxy]
Proxy = proxyuser:password@hostname

Then restart server services

Related information

How does TEM work with Proxy servers

Historical Number

105

Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Endpoint Manager

Software version:

Version Independent

Operating system(s):

Windows

Software edition:

All Editions

Reference #:

1505994

Modified date:

2014-03-31

Translate my page

Machine Translation

Content navigation