14.2 Securing ZENworks Primary Server

ZENworks runs several services and open ports, and if they are exposed outside of the data center it can pose a potential security threat. For information on ZENworks Ports, see ZENworks TCP and UDP Ports (novell.com).

For enhanced the security and management of ZENworks, two separate processes, administrative and client services runs on Tomcat. The administrative service hosts the ZENworks Control Center and all administrative services which are accessed by zman commands. By default, this process is accessible over the 7443 port. The other Tomcat process hosts client web services, ZENworks End User Portal, and the ZENworks Setup page. By default, this process is accessible over the 443 port.

Deploy and Configure ZENworks Securely

This section provides a reference to deploy and configure ZENworks securely.

Since the client communication to the ZENworks server happens over specific ports, the server firewall can be configured to allow access to those ports from outside the data center. The only exception is to provide access to the administrative port (default 7443) for any designated devices. You could use any standard networking technique to separately set up servers in an isolated network or provide restrictive access in a data center.

The ZENworks deployment strategy used to provide secure access to the servers is shown in the following diagram:

In the diagram, three ZENworks servers are deployed and running in a data center. The servers are placed within the same network and can communicate with one another. The managed devices are located on other networks and can communicate with the data center network only over the specified ports (the client access port configured on the ZENworks servers). This can be achieved by either configuring the firewall on the servers individually or by access restrictions configured in the data center network.

You can restrict access to ZENworks Control Center to only a specific list of whitelisted IP addresses. You can create a list of whitelisted IP addresses using the MDM access control restrictions or appropriate firewall restrictions.