14.3 Securing the Communication between Managed Devices and Satellite Servers

Similar to Primary Servers, even the Managed Devices secured communication with the Satellite Servers are also enhanced. From ZENworks 2020 Update 2 onwards, devices that are promoted as Satellite Server with Content or Collection roles will communicate using SSL. This enhanced secured communication between Managed Devices and Satellite Servers can be configured by Enabling SSL on Satellite Servers.

14.3.1 Enabling SSL on Satellite Servers

The SSL can be enabled for Collection, Content and Authentication Satellite Servers. For more information on enabling SSL, see Adding and Configuring Satellite Devices in the ZENworks Primary Server and Satellite Reference.

14.3.2 Satellite Servers Authentication

To achieve authentication at Satellite Servers, a token based authentication is introduced. By default, the Satellite Servers will not be able to perform the basic authentication. However, the security setting on Satellite Server can be configured by performing the following steps:

  1. In ZCC, click Devices.

  2. Click Servers, and then click the required Satellite Server.

  3. Click Settings > Device Management > System Variables.

  4. In System Variables, add the variables as shown in below tables.

  5. Click Apply.

After upgrading all agents that are communicating with Satellite Servers to ZENworks 2020 Update 2 or above, enable the enhanced security feature and add the following system variables at zone, folder or device levels:

Name

Value

authfilter.requireAuth

true

security.authfilter.allowLegacyDevice

false

Modifying the value of the “security.authfilter.allowLegacyDevice” parameter as false ensures that the requests without authentication header or requests with basic header is not authenticated.

However, if you have older agents in your zone, then the following configuration enables these agents to communicate with the Satellite Servers. The requests from agent with version ZENworks 2020 Update 2 or above sends bearer token as authorized header and will be allowed only if the token is valid.

Name

Value

authfilter.requireAuth

true

security.authfilter.allowLegacyDevice

true

Modifying the value of the “security.authfilter.allowLegacyDevice” parameter as true ensures that the requests without authentication header or requests with basic header is also authenticated.

14.3.3 Remove server information from HTTP Header

While adding a Satellite Server in the DMZ, for security reasons, if you want to remove server information from the HTTP header, then configure the following:

  • On Linux: In the jettyenv file (/opt/novell/zenworks/webserver/conf/jettyenv)

    add JettyConfigSendServerVersion=false

  • On Windows: In Registry Editor, go to HKEY_LOCAL_MACHINE > Software > Novell > ZCM > Satellite create a new String Value JettyConfigSendServerVersion with a value as false

NOTE:For the changes to take effective, ensure that you restart novell-zenworks-jetty.service

Registry Key Name

Registry Key Path

Description

Registry Key Type

Registry Key Value

JettyConfigSendServerVersion

HKLM\Software\Novell\ZCM\Satellite

Allows users to remove Satellite Server information from the HTTP header.

String

false