Similar to Primary Servers, even the Managed Devices secured communication with the Satellite Servers are also enhanced. From ZENworks 2020 Update 2 onwards, devices that are promoted as Satellite Server with Content or Collection roles will communicate using SSL. This enhanced secured communication between Managed Devices and Satellite Servers can be configured by Enabling SSL on Satellite Servers.
The SSL can be enabled for Collection, Content and Authentication Satellite Servers. For more information on enabling SSL, see Adding and Configuring Satellite Devices in the ZENworks Primary Server and Satellite Reference.
To achieve authentication at Satellite Servers, a token based authentication is introduced. By default, the Satellite Servers will not be able to perform the basic authentication. However, the security setting on Satellite Server can be configured by performing the following steps:
In ZCC, click Devices.
Click Servers, and then click the required Satellite Server.
Click Settings > Device Management > System Variables.
In System Variables, add the variables as shown in below tables.
Click Apply.
After upgrading all agents that are communicating with Satellite Servers to ZENworks 2020 Update 2 or above, enable the enhanced security feature and add the following system variables at zone, folder or device levels:
|
Name |
Value |
|---|---|
|
authfilter.requireAuth |
true |
|
security.authfilter.allowLegacyDevice |
false |
Modifying the value of the “security.authfilter.allowLegacyDevice” parameter as false ensures that the requests without authentication header or requests with basic header is not authenticated.
However, if you have older agents in your zone, then the following configuration enables these agents to communicate with the Satellite Servers. The requests from agent with version ZENworks 2020 Update 2 or above sends bearer token as authorized header and will be allowed only if the token is valid.
|
Name |
Value |
|---|---|
|
authfilter.requireAuth |
true |
|
security.authfilter.allowLegacyDevice |
true |
Modifying the value of the “security.authfilter.allowLegacyDevice” parameter as true ensures that the requests without authentication header or requests with basic header is also authenticated.
While adding a Satellite Server in the DMZ, for security reasons, if you want to remove server information from the HTTP header, then configure the following:
On Linux: In the jettyenv file (/opt/novell/zenworks/webserver/conf/jettyenv)
modify JettyConfigSendServerVersion value to false.
The default value is true.
On Windows: In Registry Editor, go to HKEY_LOCAL_MACHINE > Software > Novell > ZCM > Satellite create a new String Value JettyConfigSendServerVersion with a value as false
NOTE:For the changes to take effective, ensure that you restart novell-zenworks-jetty.service
|
Registry Key Name |
Registry Key Path |
Description |
Registry Key Type |
Registry Key Value |
|---|---|---|---|---|
|
JettyConfigSendServerVersion |
HKLM\Software\Novell\ZCM\Satellite |
Allows users to remove Satellite Server information from the HTTP header. |
String |
false |
Since ports, 1 to 1023 (privileged ports) are restricted for root users only. Hence, by default, on Linux Satellite Servers, novell-zenworks-jetty.service will run as a root user.
For security reasons, if you want to run novell-zenworks-jetty.service as a non-root user, then configure the Satellite Server to use a non-privileged port greater than or equal to 1024 for both HTTP and HTTPS requests, by run the below configuration.
On the Linux Satellite Server, in the jettyenv file available in the /opt/novell/zenworks/webserver/conf location, update UseNonRootUser=true
For the changes to take effective, restart novell-zenworks-jetty.service after modifying the jettyenv file.