Novell Home

AppNote: ZENworks with NAT and BorderManager 3.8 Firewall

Novell Cool Solutions: AppNote
By Vivek Jain

Digg This - Slashdot This

Posted: 30 Sep 2004
 

ZENWorks 6.5 Inventory and Remote Management Deployment in a NAT and BorderManager 3.8 Firewall Setup

Vivek Jain, Senior Software Engineer

vijain@novell.com

This AppNote discusses the configuration required for Novell ZENworks 6.5 Inventory and Remote Management to work across NAT and a firewall.

Introduction

Novell ZENworks 6.5 provides a variety of features such as Remote Management, Inventory, Application Launcher, Imaging, Policy and Distribution Services, and Workstation Management. Remote Management and Inventory work well in a firewall environment, provided they are configured properly.

In a typical corporate network there are various types of firewalls, such as NAT, Filtering Rules, VPN, Proxy, etc. Mobile users can get all their application updates through Application Launcher, even if they are in public networks. Also, the administrator can remote-control any machine across a firewall for debugging purposes.

Configuring Single NAT

In a single NAT environment, you can have the following configurations enabled on the NAT server in order to make ZENworks Inventory and Remote Management work across it:

  • Static NAT
  • Dynamic NAT
  • Static and Dynamic NAT

If the managed workstation is configured behind dynamic NAT, the managed workstation cannot be accessed from the management console, but the reverse is true: the management console can be accessed from the managed workstation.

If you are using a NetWare server, you can enable NAT from the Internetworking Configuration menu. Go to Protocols | TCP/IP | NAT Implicit Filtering and enable it.

To enable Static NAT, Dynamic NAT, or Static and Dynamic NAT:

  1. Go to Internetworking Configuration menu | Bindings | Public Interface IP | Configure TCP/IP bind options | Expert TCP/IP Bind Options | Network Address Translation | Status.
  2. Select Static NAT, Dynamic NAT, or Static and Dynamic NAT.


  3. Figure 1: Enabling Static or Dynamic NAT, or Static and Dynamic NAT

  4. Add the Secondary IP addresses in the table, if desired.


  5. Figure 2: Adding the secondary IP addresses

If you are using NetWare 6.0 or below, you must add these secondary IP addresses from the command line (Add Secondary IPAddress <IP>). In NetWare 6.5 and above you can add these secondary IP addresses from the Internetworking Configuration Menu (Bindings | Public Interface IP | Secondary IP Address Support).

When NAT is enabled you can start using Remote Management and Inventory Services with a minimal configuration.

If the workstation is located outside the firewall, the workstation accesses the ZENworks Desktop Management Middle Tier server via HTTP, using the Desktop Management Agent. The Middle Tier Server then acts as a proxy to pass the request on to the ZENworks server.

The steps for this configuration are:

  1. Install the Middle Tier server inside the firewall.
  2. Import the workstation, which is situated outside the firewall, to the ZENworks tree via the ZENworks Import service. For this you need to specify the NATed IP address of the ZENworks server running the Workstation Import service in the HOSTS file on the workstation
  3. .
  4. Install the ZENworks agent on the workstation. During the install, give the NATed IP address of the Middle Tier server. Once the workstation is imported, it receives the inventory policy configured for the workstation and sends the inventory scans to the database via the Middle Tier server.
  5. If you have enabled filters on the server, you need to open the HTTP ports on the filtering server.

Working with Remote Management

There are two ways to remote-control a workstation -- console-initiated connection or Agent Initiated Connection (AIC). You would typically use AIC in the following cases:

  • When the managed workstation is behind dynamic NAT and cannot be accessed from a management console.
  • When the managed workstation is in a private network, and the IP address cannot be used by the management console from the public network. (The management console picks up the IP address from the workstation object, and the address would be private.)

ZENworks Remote Management offers two modes of authentication -- Directory and Password. If you want to use Directory mode of authentication for performing remote operations, you need to enable the following options in the General tab of Remote Management policy for Workstations and/or Users:

  1. Accept Connections across NAT/Proxy. (This enables the Remote Management Agent to accept connection with the management console across NAT or Proxy. This is applicable for connections initiated through the Directory-based authentication only).
  2. Prompt User for Permission to Accept Connections across NAT/Proxy. (This enables the user at the managed workstation to accept or reject connections across NAT or Proxy. This is applicable for connections initiated through the Directory-based authentication only).


  3. Figure 3: Remote Control Policy Properties

  • Once the workstation is imported to the ZENworks tree, you can initiate remote operations with the workstation, from a console inside the firewall. You can use either eDirectory authentication or password-based authentication.
  • For AIC, right-click the remote control icon in the system tray and select Request Session. Select the following values in the Request Session dialog (pictured below): 1) the NATed IP address of the management console machine (where ConsoleOne is already running), and 2) the remote operation to be performed by the remote operator. Then click OK.
  • Figure 4: Supplying the Console address in the Request Session dialog

    The management console then displays the dialog shown below. Choose eDirectory authentication or password-based authentication (and supply the password) and click OK.

    Figure 5: Choosing the authentication mode

    Working with Inventory

    Workstation inventory works properly if you have opened the HTTP ports. But if you have Novell Client installed on the workstation, the communication happens through the Novell client. In this case you would need to open the NCP port (524) on the filtering server.

    If you have a lower-level server outside the firewall rolling up to the higher level server inside the firewall, then you must install the ZENworks Proxy service inside the firewall. After this you need to configure the proxy settings in the rollup policy by filling in the fields shown below.

    Figure 6: Configuring the proxy settings in the rollup server

    IP Address / DNS Name: Specify the NATed IP address or DNS name of the ZENworks proxy server.

    Port: Specify the port number of the proxy server. By default it is 65000. You can change the port during the installation of ZFD/ZFS server.

    After the configuration is done the inventory will work properly.

    Configuring Double NAT

    Inventory is not supported across double NAT. Only the Remote management is supported across double NAT. If you have two corporate offices situated across the public network, and if both of these sites have NAT enabled, then you can use ZENworks Remote Management to access the workstation in one site from the other site.

    In this case the Remote Management operations works only if you have a static NAT, or if Static and Dynamic NAT is enabled on at least one of the sites. Remote management will not work if both the sites have dynamic NAT enabled.

    The configuration in this scenario is same as the configuration in Static NAT. If the managed device is behind dynamic NAT, you should initiate the connection using AIC. If the management console is behind dynamic NAT, you should initiate the connection using ConsoleOne. If both the entities are behind static NAT, you can initiate connection from either end.

    Configuring Client-to-Site VPN and Site-to-Site VPN

    You can set up your ZENworks Inventory and Remote Management across a VPN. This section discusses the deployment of ZENworks 6.5 across a Novell BorderManager 3.8 firewall.

    If you have two corporate offices situated across the public network, you can create a site-to-site VPN channel (with BorderManager 3.8) between these two locations for secure communication. If any mobile user from the public network wants to communicate with either of these offices, that user can create a client-to-site channel (with BorderManager 3.8) between the managed workstation and the VPN site at the office. It's recommended that you dedicate a VPN site server for this purpose, with any ZENworks servers located behind it.

    Inventory Rollup

    Rollup of inventory data from one site to another is supported via a VPN site-to-site channel. The Workstation Inventory Scans can be transferred from the public network to the inventory server behind any of the sites.

    The configuration is as follows:

    1. Install BorderManager 3.8 site servers on both the sites.
    2. Configure the site-to-site channel. For further details about this configuration, see the Novell documentation for BorderManager 3.8.
    3. To create a client-to-site channel, you can install VPN client from BorderManager 3.8 on your managed workstation and configure the channel with the help of iManager.
    4. If you have set the packet filtering ON, then check that the following ports are open (Default Ports). By default, BorderManager sets this up for you.
    • VPN-AuthGW-ST - UDP - 353
    • VPN-KeepAlive-ST - TCP - 353
    • VPN-Tunnel-ST - UDP - 2010

    For Inventory to work properly, ensure you have the following ports open:

    • HTTP Port - TCP - 80 and 8080
    • ZENworks Proxy port - TCP - 65000
    • NCP port - TCP - 524
    • HTTPS Port - TCP - 443

    Ports for Remote Management

    Once the client-to-site channel is established, ensure the following ports are open for Remote Management to work. (These are default ports, but you can change them as explained in the next section.)

    • Remote Management Agent Port - TCP - 1761
    • Remote Control Listener Port - TCP - 1762

    Note: Remember to set Stateful Filtering ON for two-way communication. If you have Novell Client installed on your machine, remember to open the NCP port TCP 524.

    Changing Remote Management Ports

    You can specify Remote Management Agent and Remote Control Listener to listen on different ports, if you have other applications which use these ports.

    Remote Management Agent

    By default, the Remote Management Agent port binds to TCP port 1761. You can configure it to run on a different TCP port by following these steps:

    On the managed workstation:

    1. Open the <ZENworks_agent_directory>\remotemanagement\rmagent\rmcfg.ini file.
    2. Under the Remote Management Agent Ports section, set the DefaultCommPort to the desired port number.
    3. Restart the Novell ZfD Remote Management service.

    On the Management console:

    1. Open the <ConsoleOne_directory>\1.2\bin\rmports.ini file.
    2. Under the Remote Management Agent Ports section, add the port number you specified on the managed workstation.

    Note: If the Remote Management Agents are running on different ports on different management consoles, you must mention the port numbers one below the other under the Remote Management Agent Ports section of the rmports.ini file.

    Remote Control Listener

    Similarly, the Remote Control Listener binds to TCP port 1762 by default when ConsoleOne is started. You can configure it to run on a different TCP port by following the steps below:

    On the management console:

    1. Open the <ConsoleOne_directory>\1.2\bin\rmports.ini file.
    2. In the Remote Control Listener Port section, set the DefaultCommPort to the desired port number.
    3. Restart ConsoleOne
    4. .

    On the managed workstation:

    1. Open the <ZENworks_agent_directory>\remotemanagement\rmagent\rmcfg.ini file.
    2. In the Remote Control Listener Ports section, add the port number.

    Note: If the Remote Control Listeners are running on different ports on different management consoles, you must mention the port numbers one below the other in the Remote Control Listener Ports section of the rmcfg.ini file.

    Changing HTTP and Proxy Ports

    If you have changed the default web server port, you can change the port during the ZFD agent installation on your managed workstation. If you have not changed it, there is an option to change this port in the login window. You can also change it from the registry.

    Similarly, you can change the default port (65000) of the ZENworks Proxy service during the ZFD Server installation.

    Conclusion

    This AppNote discusses how easily ZENworks can be deployed in a firewall scenario, where all NAT, VPN, and Packet filtering are enabled.

    The results described in this AppNote are derived strictly from test scenarios. In real user scenarios the results may differ. Novell does not recommend deploying untested configuration changes directly in a production network. You should always verify configuration changes on a simulated test network before you deploy into a production environment.


    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

    © 2014 Novell