21.4 DMZ Server Management

The following sections provide information about controlling access to the capabilities used to manage the ZENworks DMZ Server.

NOTE:Because the ZENworks DMZ Server is also a managed device, the information provided in Device Management applies to managing the device capabilities of the server.

21.4.1 Remote Control/VNC

Description

Component that enables the ZENworks DMZ Server 1) to be managed by a remote administrator and 2) to be used by a local administrator to manage other remote devices. It includes multiple pieces:

  • Remote Management Service: A service that enables a remote administrator to perform management operations on the device.

  • Remote Management Viewer: A management console application that enables a local administrator to perform operations on a remote device.

  • Remote Management Listener: A management console application that enables a local administrator to accept assistance requests from remote devices.

Port

Remote Management Service: 5950

Remote Management Listener: 5500

Recommendation

Remote Management can be performed from any ZENworks Server. You should not use the ZENworks DMZ Server to perform remote management of devices.

If you want to manage the ZENworks DMZ Server remotely, you should perform the remote management from an internal device or an external device that has a VPN connection to your internal network. This allows you to block the Remote Management ports to all external IP addresses.

NOTE: The ZENworks DMZ Server can still be used as a Join Proxy service to allow Remote Management of external devices from an internal ZENworks Server.

How to Secure Access

If you don’t need to manage the ZENworks DMZ Server remotely, stop the service:

  • Linux: Stop novell-rm-x11vnc.socket and novell-rm-xvnc.socket

  • Window: Stop Novell ZENworks Remote Management Service

If you do want to manage the ZENworks DMZ Server remotely but only from an internal address, configure the firewall to block inbound connections on port 5950 and 5500 from external addresses.

21.4.2 Imaging Service

Description

Components that are required for various imaging tasks on the ZENworks DMZ Server.

Service: Port

TFTP Service: 69

Preboot Service: 998

Preboot Policy Service: 13331

DHCP Service: 67 and 4011

Recommendation

Imaging can be performed from any ZENworks Server. You should not use the ZENworks DMZ Server to perform imaging of devices.

Disable access to both internal and external addresses.

How to Secure Access

Configure the firewall to prevent traffic on these ports from all addresses.

OR

Stop the service:

  • Linux: Stop novell-tftp.service, novell-pbserv.service, novell-proxydhcp.service, and novell-zmgprebootpolicy.service

  • Window: Stop novell-tftp, novell-pbserv, novell-zmgprebootpolicy, and novell-proxydhcp