How to get ZENworks for Desktops 3.2 Remote Control to work with Windows XP Professional with SP2
Novell Cool Solutions: Tip
By Ashton Smith
Digg This -
Updated: 19 May 2005
Since SP2 for Windows XP Professional isn't tested or supported by Novell for ZENworks for Desktops 3.2, there have to be some manual changes to the workstation to get the Remote Control functionality to work. There are two ways to get ZfD 3.2 Remote Control to work with SP2 for Windows XP Professional:
1. Through the distribution of registry keys via NAL or modifications through a Group Policy, disable the XP SP2 Firewall and its related service with these registry keys:
;Set the Firewall and ICS Services to Disabled [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] "Start"=dword:00000004 ;Disable Windows Firewall [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile] "EnableFirewall"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=dword:00000000
2. Configure the XP SP2 Firewall so that it will open the proper ports and setup the program exceptions to pass data correctly through the creation of these registry keys:
;Set the Firewall and ICS Services to Manual ;This will prevent it from loading automatically, but will be loaded when Remote Management starts [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess] "Start"=dword:00000003 ;Set the ZENworks Remote Management Service to be dependent on the SharedAccess and Workstation Manager services [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Novell WUser Agent] "DependOnService"=hex(7):57,00,4d,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,\ 41,00,63,00,63,00,65,00,73,00,73,00,00,00,00,00 ;Set the ports for ZENworks Remote Control in the allowed Ports lists for the Firewall [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "20:TCP"="20:TCP:*:Enabled:ZENworks Remote Management FTP" "21:TCP"="21:TCP:*:Enabled:ZENworks Remote Management FTP" "517:TCP"="517:TCP:*:Enabled:ZENworks Remote Management Chat" "1761:UDP"="1761:UDP:*:Enabled:ZENworks Remote Execute" "1762:UDP"="1762:UDP:*:Enabled:ZENworks Remote Control/View" "1763:UDP"="1763:UDP:*:Enabled:ZENworks Remote Managment Diagnostics" "1765:UDP"="1765:UDP:*:Enabled:ZENworks Wake Up on LAN" ;Set the ZENworks Remote Control executable in the allowed program list for the firewall [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "srvftp32.exe"="c:\novell\zenrc\srvftp32.exe:*:Enabled:ZENworks Remote Management FTP" "wtalk32.exe"="c:\novell\zenrc\wtalk32.exe:*:Enabled:ZENworks Remote Management Chat" "wuolservice.exe"="c:\novell\zenrc\wuolservice.exe:*:Enabled:ZENworks Wake Up on LAN" "wuser32.exe"="c:\novell\zenrc\wuser32.exe:*:Enabled:ZENworks Remote Management" ;Enable Windows Firewall [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile] "EnableFirewall"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=dword:00000001
Turning off the XP SP2 firewall might not be the best option for your security standards, but either option seems to work fine.
I found the issue to be a "timing" issue between when the remote control service was started as the workstation was booting up. If you looked at the service, you would see that it wasn't started, even though it was set to "automatic". If, after the workstation was all booted up, you opened a command prompt and typed "net start "remote management", it would start the service and remote control would work just fine.
Rather than go through all the convoluted hoops explained in your cool solution, I just put an exception in the XP firewall for the service, then used a DOS-based "wait' utility and a batch file called "StartRM.Bat" to simply "re-start" the service from the StartUp Folder about 20 seconds after the workstation was booted.
To me, this is simply a minor flaw in the client that Novell needs to resolve.
If you have any questions you may contact Brian at BHawker@Intrasource.com
What I did was merely export the key that contains the firewall exceptions for my environment into a reg file. This can either be imported via NAL or a login script:
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\dpmw32.exe"="C:\\WINDOWS\\system32\\dpmw32.exe:*:Enabled:NDPS RPM & Notification Listener" "C:\\NOVELL\\ZENRC\\wtalk32.exe"="C:\\NOVELL\\ZENRC\\wtalk32.exe:*:Enabled:wtalk32.exe" "C:\\NOVELL\\ZENRC\\srvftp32.exe"="C:\\NOVELL\\ZENRC\\srvftp32.exe:*:Enabled:srvftp32.exe" "C:\\NOVELL\\ZENRC\\WUOLService.exe"="C:\\NOVELL\\ZENRC\\WUOLService.exe:*:Enabled:WUOLService.exe" "C:\\NOVELL\\ZENRC\\wuser32.exe"="C:\\NOVELL\\ZENRC\\wuser32.exe:*:Enabled:wuser32.exe" "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
add to my users' login script:
if "%OS_VERSION" = "V5.01" then @ \\servername\sys\public\bin\ZenStart.cmd end
with ZenStart.cmd merely containing:
sleep 15 net start "network management"
The login script will only trigger on XP (note that the processor returns V5.01, NOT the V5.1 that one would expect), it calls the command file (which is used instead of a batch file so the "sleep" command can be used to allow all of the dependencies to load, etc).
I'm fundamentally lazy and a firm believer in the K.I.S.S. principle so doing things this way means I don't have to touch any workstations, nor add any 3rd-party software. :-)
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com