14.2 Secure Communication between Managed Devices and ZENworks Servers

The ZENworks Agent on managed devices communicates with ZENworks Primary Servers and Satellites for tasks such as registering devices, authenticating identity, downloading content, and uploading collected data.

ZENworks uses a combination of transport encryption (SSL), authorization, and authentication to secure communication between managed devices and servers:

  • Primary Server SSL: The Primary Server uses SSL for all communication with managed devices.

  • Satellite SSL: By default, Satellites do not use SSL when communicating with managed devices. However, you can enable SSL on a Satellite so that identity authentication, content, and collection use secure communication. On Satellites performing identity authentication, SSL is required.

  • Authorized Registration: Only devices that are authorized by ZENworks administrators can register to ZENworks. Authorization methods include the use of predefined Authorization Keys or pre-approved devices lists.

  • Authentication Headers: Once a device is registered as a managed device, the ZENworks Agent uses authentication headers when communicating with ZENworks servers. Any communication that does not include the correct authentication header is rejected.

14.2.1 Recommendations for a New ZENworks System

In a new installation of a ZENworks 2020 Update 2 system, the following secure communication methods are enabled by default:

  • Primary Server SSL

  • Authorized Registration

  • Authentication Headers

Micro Focus strongly recommends that you also do the following:

  • Satellite SSL: Enable SSL on any Satellites with Authentication, Content Server, or Collection Server roles. This ensures that all Satellite-managed device communication for identity authentication, content downloads, and data collection is secure. The primary reason SSL is not enabled on Satellites by default is to ensure that you have the necessary resources and time to procure and configure SSL certificates on Satellites when using an external Certificate Authority. If you are using the internal ZENworks Certificate Authority, Satellites are automatically configured with SSL certificates when you enable SSL so you should enable SSL immediately.

    For instructions see Adding and Configuring Satellite Devices in the ZENworks Primary Server and Satellite Reference.

  • TLS v1.2: TLS v1.2 is required on managed devices. Ensure that all ZENworks-managed devices have TLS v1.2 installed and configured. If you have older devices that require configuration, see Securing ZENworks 2020 Update 2 by Disabling Older Security Protocols.

14.2.2 Recommendations for an Upgraded ZENworks System

In a ZENworks 2020 Update 2 system upgraded from an earlier version, the following secure communication methods are enabled by default:

  • Primary Server SSL

The other methods (Authorized Registration, Authentication Headers, and Satellite SSL) are not enabled on upgrade. This is to ensure that communication between your existing managed devices and Primary Servers/Satellites is not disrupted. Pre-Update 2 ZENworks Agents do not support authorized registration and authentication headers and therefore cannot communicate with Primary Servers/Satellites that have those methods enabled.

To best protect your ZENworks system, Micro Focus strongly recommends that you enable all secure communication methods as soon as possible using an approach that meets the security requirements for your organization. These recommendations, and implementation considerations, are:

  • Authorized Registration/Authentication Headers: You enable these secure communication methods together and on one Primary Server/Satellite at a time. Because pre-Update 2 ZENworks Agents cannot communicate with “secured” Primary Servers and Satellites, you should consider the following as you plan your implementation:

    • Any Internet-facing Primary Servers (i.e. in the DMZ) are at greatest risk, so enabling the secure communication methods on them should be your first priority. After you enable a DMZ server, only managed devices with the Update 2 ZENworks Agent (or newer) will be able to communicate with the server. Therefore, ensure that managed devices that connect to the DMZ server are running the Update 2 ZENworks Agent before securing the DMZ server. For instructions to enable or disable the secured communication, see Security Commands in the ZENworks Command Line Utilities Reference.

    • Non-Internet-facing Primary Servers/Satellites (i.e. on your internal network) should be enabled for secure communication as soon as possible. If you have pre-Update 2 managed devices, one approach would be to maintain a non-secured Primary Server/Satellite and configure those devices to access the non-secured server.

    • Be aware that the following processes will require workflow modifications in order to work on a secured Primary Server/Satellite:

      • Registration: To register devices, you will need to create Authorization Keys or Pre-Approved Devices lists to support the enforced authorized registration. For information, see Registering Devices in the ZENworks Discovery, Deployment, and Retirement Reference.

      • Reconciliation: Reconciliation is the process used when an existing device is re-registered into the zone. The reconciliation process matches the physical device with its existing ZENworks device object so that the device regains all of its assignments and configuration. To reconcile devices, you will also need to use Authorization Keys or Pre-Approved Devices lists. For information, see Registering Devices in the ZENworks Discovery, Deployment, and Retirement Reference

      • Imaging: When including the ZENworks Agent in an image, you need to include an Authorization Key in the image or add the imaged device to the pre-approved devices list prior to imaging it. For information, see Authorized Registration for Device Imaging.

    For information about enabling secure communication (Authorized Registration/Authentication Headers) on a Satellite, see Securing the Communication between Managed Devices and Satellite Servers.

  • Satellite SSL: Enable SSL on any Satellites with Authentication, Content Server, or Collection Server roles. This ensures that all Satellite-managed device communication for identity authentication, content downloads, and data collection is secure. For instructions see Adding and Configuring Satellite Devices in the ZENworks Primary Server and Satellite Reference.

  • TLS v1.2: ZENworks systems that are upgraded to ZENworks 2020 Update 2 do not require TLS v1.2 on managed devices. Instead, the Primary Servers and Satellites retain their configuration that allows agents to use older TLS versions. However, as TLS v1.2 provides the best security, Micro Focus recommends that you configure an upgraded ZENworks system to support only TLS v1.2. For information, see Securing ZENworks 2020 Update 2 by Disabling Older Security Protocols.