Like other ZENworks Servers, the ZENworks DMZ Server provides the capabilities required for administration of the ZENworks Management Zone. The following sections provide information about controlling access to these administration capabilities:
Description |
Administrative console used to manage the ZENworks Zone. ZENworks Control Center is available on each ZENworks Primary Server. |
Service |
ZENworks Server (Tomcat) |
Port |
443 and 80; port 80 access redirects to port 443 |
Recommendation |
Disable access to both external and internal addresses. ZENworks management can be performed by launching ZCC from any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for management and do not use the ZENworks DMZ Server. |
How to Secure Access |
Define the ZENworks DMZ Server as an MDM server and use the access control settings to deny ZCC access to external devices.
For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference. Note: If you do not want to add the DMZ Server as an MDM server, there is another way to restrict ZCC access. For information, see Restricting Access to ZENworks Control Center in the ZENworks Control Center Reference. |
Description |
Download page for ZENworks agent installation files as well as administrative, inventory, and imaging tools. |
Service |
ZENworks Server (Tomcat) |
Port |
443 and 80; port 80 access redirects to port 443 |
Recommendation |
Disable access to both external and internal addresses. Access to the ZENworks Download page can be gained from any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for this purpose and do not use the ZENworks DMZ Server. Be aware that if you disable the ZENworks Download page, any external devices that you want to register to the zone will need to get the Agent installation files another way, such as using VPN to access an internal server or downloading the files from another secure external-facing repository that you’ve copied them too. |
How to Secure Access |
Define the ZENworks server as an MDM server and use the access control settngs to deny Download page access to external devices.
For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference. |
Description |
Diagnostics ports used to get the current status of ZENworks processes. |
Service:Port: |
ZENworks Loader: 61491 ZENworks Join Proxy: 61492 ZENworks CASA: 61493 ZENworks Xplat Agent: 61494 ZENworks Antimalware Service: 61195 |
Recommendation |
All Diagnostics probe requests go from one ZENworks Primary Server to another. Allow access to internal ZENworks Servers but disable access to all external addresses. |
How to Secure Access |
Configure the firewall to prevent inbound connections on these ZENworks DMZ Server ports from external addresses. Allow inbound connections from any internal ZENworks Servers. |
Description |
The management console for the ZENworks Appliance. |
Port |
9443 |
Recommendation |
Disable access to external addresses. Restrict internal access to the IP address of a device, either in the DMZ or on the internal network, from which you can launch a Web browser for the Appliance console |
How to Secure Access |
In the ZENworks Appliance console:
OR Configure the firewall to prevent inbound traffic on this port from external addresses and internal addresses other than the IP address of the designated administration device.. |
Description |
Command line interface used to manage the ZENworks Zone. ZMAN is available on each ZENworks Primary Server. ZMAN uses the Tomcat Admin Webservices. Disabling the Admin Webservices disables ZMAN access. For details, see Admin Webservices. |
Description |
These are the Tomcat webapps used for ZENworks administration. |
Service |
ZENworks Server (Tomcat) |
Port |
443 and 80 |
Recommendation |
Disable access to both external and internal addresses. ZENworks management can be performed by any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for management and do not use the ZENworks DMZ Server. |
How to Secure Access |
Use the Tomcat Remote Address Filter to block external access to the Admin Webservices. If you want to block external access to all Tomcat Webservices:
Notes:
|