2.1 Setting Up Remote Management to Manage a Windows Device

2.1.1 Configuring the Remote Management Settings on a Windows Device

The Remote Management settings are rules that determine the behavior or the execution of the Remote Management service on the managed device. The settings include configuration for the ports, session settings, and performance settings during the remote session. These settings can be applied at zone, folder, and device levels.

The following sections provide information on configuring the Remote Management settings at the different levels:

Configuring the Remote Management Settings at the Zone Level of a Windows Device

By default, the Remote Management settings configured at the zone level apply to all the managed devices.

  1. In ZENworks Control Center, click Configuration.

  2. In the Management Zone Settings panel, click Device Management, then click Remote Management.

  3. Select Run Remote Management Service on Port and specify the port to enable the Remote Management service to run on that port.

    By default, the Remote Management service listens on port number 5950.

  4. Select the Session Settings options:

    Field

    Details

    Look Up Viewer DNS Name at the Start of the Remote Session

    Enables the Remote Management service to look up for the DNS name of the management console at the start of the remote session.

    The name is saved in the audit logs and is displayed as a part of the session information during the remote sessions. If this option is not selected or the Remote Management service is unable to find the console name, then the console name is displayed as unknown.

    If your network does not have reverse DNS lookup enabled, then we recommend that you disable this setting to prevent a significant delay in starting the remote session.

    Allow Remote Session when no user is logged on to the managed device

    Enables a remote operator to remotely manage a device when the policy allows the remote operation but no user has logged in to the device. This option is selected by default.

  5. Select from the following options for improving the performance of a remote session:

    Field

    Details

    Suppress Wallpaper

    Suppresses the wallpaper on the managed device during a remote session. This prevents the bitmap data of wallpaper from being repeatedly sent to the Remote Management console and thereby enhances the performance of the remote session.

    Enable Optimization Driver

    Enables the optimization driver, which is installed by default on every managed device. If you select this option, only the changed portion of the screen on the managed device is captured and updated on the Remote Management console during the remote session, thereby enhancing the performance of the remote session.

  6. (Optional) Configure a remote management proxy to perform remote operations on the managed device.

    If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy. You must install the proxy separately. For information on installing the remote management proxy, see Section 2.5.1, Installing a Remote Management Proxy.

    Task

    Details

    Add a remote management proxy

    1. Click Add to display the Add Proxy Settings dialog box.

    2. Fill in the following fields:

      Proxy: Specify the IP address or DNS name of the remote management proxy.

      IP Address Range: Specify the IP addresses of the devices you want to remotely manage through the remote management proxy. You can specify the IP address range in one of the following ways:

      • Specify the range of IP addresses using CIDR (Classless Inter-Domain Routing) notation. With CIDR, the dotted decimal portion of the IP address is interpreted as a 32-bit binary number that has been broken into four 8-bit bytes. The number following the slash (/n) is the prefix length, which is the number of shared initial bits, counting from the left side of the address. The /n number can range from 0 to 32, with 8, 16, 24, and 32 being commonly used numbers. Examples:

        123.45.678.12/16: Specifies all IP addresses that start with 123.45.

        123.45.678.12/24: Specifies all IP addresses that start with 123.45.678.

      • Specify the range of IP addresses in the From IP address - To IP address format. For example:

        123.45.678.12 - 123.45.678.15: Specifies all IP addresses in the range 123.45.678.12 to 123.45.678.15.

    Delete a remote management proxy

    1. Select the proxy you want to delete.

    2. Click Delete, then click OK.

  7. (Optional) Configure an application to be launched on the managed device during the Remote Diagnostics session by adding it to the Diagnostics Applications list. By default, the list includes the following applications:

    • System Information

    • Computer Management

    • Services

    • Registry Editor

    The following table lists the tasks that you can perform to customize the Diagnostics Applications list:

    Task

    Details

    Add an application

    1. Click Add.

    2. Specify the application name and the application path on the managed device.

    3. Click OK.

    Delete an application

    1. Select the application you want to delete.

    2. Click Delete, then click OK.

    Revert to default applications

    1. Click Revert, then click OK.

  8. Click Apply, then click OK.

These changes are effective on the device, when the device is refreshed.

Configuring the Remote Management Settings at the Folder Level of a Windows Device

By default, the Remote Management settings configured at the zone level are applied to all the managed devices. However, you can modify these settings for the devices within a folder:

  1. In ZENworks Control Center, click Devices.

  2. Click the folder (details) for which you want to configure the Remote Management settings.

  3. Click Settings, then click Device Management > Remote Management.

  4. Click Override.

  5. Edit the Remote Management settings as required.

  6. To apply the changes, click Apply.

    or

    To revert to the system settings configured at the zone level, click Revert.

  7. Click OK.

These changes are effective on the device, when the device is refreshed.

Configuring the Remote Management Settings at the Windows Device Level

By default, the Remote Management settings configured at the zone level are applied to all the managed devices. However, you can modify these settings for the managed device:

  1. In ZENworks Control Center, click Devices.

  2. Click Servers or Workstations to display the list of managed devices.

  3. Click the device for which you want to configure the Remote Management settings.

  4. Click Settings, then click Device Management > Remote Management.

  5. Click Override.

  6. Edit the Remote Management settings as required.

  7. To apply the changes, click Apply.

    or

    To revert to the previously configured system settings on the device, click Revert.

    If the Remote Management settings on the device were configured at the folder level, the settings revert to the configured folder level settings; otherwise, they revert to the default zone level settings.

  8. Click Ok.

These changes are effective on the device, when the device is refreshed.

2.1.2 Creating the Remote Management Policy

The Remote Management policy lets you configure the behavior or execution of a Remote Management session on the managed device. The policy includes settings for Remote Management operations such as Remote Control, Remote View, Remote Execute, Remote Diagnostics, and File Transfer, and also allows you to control settings for security.

By default, a secure Remote Management policy is created on the managed device when the ZENworks Adaptive Agent is deployed with the Remote Management component on the device. You can use the default policy to remotely manage a device. To override the default policy, you can explicitly create a Remote Management policy for the device.

  1. In ZENworks Control Center, click the Policies tab.

  2. In the Policies list, click New, then click Policy to display the Select Policy Type page.

  3. Select Remote Management Policy, click Next to display the Define Details page, then fill in the fields:

    Policy Name: Provide a unique name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder.

    Folder: Type the name or browse to the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.

    Description: Provide a short description of the policy’s content. This description displays in the summary page of the policy in ZENworks Control Center.

  4. Click Next to display the Remote Management General Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow User to Request a Remote Session

    Enables the user on the managed device to request a remote operator to perform a remote session. The remote operator must ensure that the Remote Management Listener is running.

    Terminate the Remote Session When Permission Is Required from a New User Logging In to the Managed Device

    Terminates an ongoing remote session when permission is required from a new user who has logged into a remotely managed device.

    Display Remote Session Audit Information to the User on the Managed Device

    Allows the user on the managed device to view the audit information for remote sessions from the ZENworks icon.

    Display Remote Management Properties in the ZENworks Icon

    Allows the user on the managed device to view the properties associated with the Remote Management policy in the ZENworks icon.

    Edit

    To edit the message displayed to the user on the managed device before starting a remote session:

    1. Click Edit to display the Edit Message dialog box.

    2. Edit the message.

    3. Click OK.

    Restore default

    To restore the default message:

    1. Click Restore default to revert to the default message.

    Add a Remote Listener

    To add a Remote Listener:

    1. Click Add.

    2. In the Add Remote Listener dialog box, specify the DNS name or IP address of the management console and the port number on which the Remote Management Listener will listen for remote session requests.

    3. Click OK.

    Delete a Remote Listener

    To delete a Remote Listener:

    1. Select the Remote Listener you want to delete.

    2. Click Delete.

  5. Click Next to display the Remote Control Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow Managed Device to be Controlled Remotely

    Allows Remote Control sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Control operation on the device.

    Ask Permission from User on Managed Device Before Starting Remote Control

    Allows you to request permission from the user on the managed device before starting a Remote Control session.

    Give Visible Signal to User on Managed Device During Remote Control

    Displays a visible signal in the top right corner of the managed device desktop during the Remote Control session. The visible signal lets the user on the managed device know that a Remote Control session is in progress.

    Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote Control

    Generates a beep on the managed device during a Remote Control session. The beep is generated periodically after the specified number of seconds.

    Allow Managed Device Screen to be Blanked During Remote Control

    Enables blanking of the screen of the managed device during a Remote Control session. Selecting this option also locks the keyboard and the mouse controls of the managed device.

    Allow Managed Device Mouse and Keyboard to be Locked During Remote Control

    Enables locking of the managed device mouse and keyboard during a Remote Control session.

    Allow Screen Saver to be Automatically Unlocked During Remote Control

    Enables the unlocking of a password-protected screen saver from the Remote Control Viewer before the start of a Remote Control session on the managed device.

    Automatically Terminate Remote Control Session After Inactivity of [ ] Minutes

    Terminates a Remote Control session on the managed device if it has been inactive for the specified duration.

  6. Click Next to display the Remote View Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow Managed Device to be Viewed Remotely

    Allows Remote View sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote View operation on the device.

    Ask Permission from User on Managed Device Before starting Remote View

    Allows you to request permission from the user on the managed device before starting a Remote View session.

    Give Visible Signal to User on Managed Device During Remote View

    Displays a visible signal in the top right corner of the managed device desktop during the Remote View session.The visible signal lets the user on the managed device know that a Remote View session is in progress.

    Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote View

    Generates a beep on the managed device during the Remote View session. The beep is generated periodically after the specified number of seconds.

  7. Click Next to display the Remote Diagnostics Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow Managed Device to be Diagnosed Remotely

    Allows Remote Diagnostics sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Diagnostics operation on the device.

    Ask Permission from User on Managed Device Before starting Remote Diagnostics

    Ensures that the remote operator requests permission from the user on the managed device before starting a Remote Diagnostics session.

    Give Visible Signal to User on Managed Device During Remote Diagnostics

    Displays a visible signal in the top right corner of the managed device desktop during the Remote Diagnostics session.The visible signal lets the user on the managed device know that a Remote Diagnostics session is in progress.

    Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote Diagnostics

    Generate a beep on the managed device during the Remote Diagnostics session. The beep is generated periodically after the specified number of seconds.

    Allow Managed Device Screen to be Blanked During Remote Diagnostics

    Enables blanking of the screen of the managed device during a Remote Diagnostics session. The managed device keyboard and mouse are always locked during a Remote Diagnostics session. Selecting this option also disables the visible signal on the managed device.

    Display Warning Message Before Reboot for [ ] Seconds

    Displays a warning message on the managed device at the start of the Remote Diagnostics session, reminding the user to save all existing applications. This warning message is displayed for the specified duration to prevent the user from losing any unsaved data, because the remote operator might initiate a system reboot during the Remote Diagnostics session.

    Automatically Terminate Remote Diagnostics Session After Inactivity of [ ] Minutes

    Terminates the Remote Diagnostics session if it is inactive for the specified duration.

  8. Click Next to display the Remote Execute Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.

    Field

    Details

    Allow programs to be remotely executed on the managed device

    Allows programs to be executed remotely on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Execute operation on the device.

    Ask permission from User on Managed Device Before Starting Remote Execute

    Ensures that the remote operator requests permission from the user on the managed device before starting a Remote Execute session.

    Give Visible Signal to User on Managed Device During Remote Execute

    Displays a visible signal in the top right corner of the managed device desktop during the Remote Execute session. The visible signal lets the user on the managed device know that a Remote Execute session is in progress.

    Automatically Terminate Remote Diagnostics Session After Inactivity of [ ] Minutes

    Terminates the Remote Execute session if it is inactive for the specified duration.

  9. Click Next to display the File Transfer Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default security settings.

    Field

    Details

    Allow Transferring Files on Managed Device

    Enables transfer of files between the management console and the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the File Transfer operation on the device

    Ask permission from User on Managed Device Before Starting File Transfer

    Ensures that the remote operator requests permission from the user on the managed device before starting a File Transfer session.

    Give Visible Signal to User on Managed Device During File Transfer

    Displays a visible signal in the top right corner of the managed device desktop during the File Transfer session. The visible signal lets the user on the managed device know that a File Transfer session is in progress.

    Allow Files to be Downloaded from Managed Device

    Allows a remote operator to open files on the managed device and transfer them to the management console. If this option is not selected, the remote operator can only transfer files from the management console to the managed device.

    File Transfer Root Directory

    Specify the managed device directory to be seen by the remote operator during a File Transfer session. The remote operator can only transfer files to and from this directory and its subdirectories. The default directory is My Computer, which means that the remote operator can see and transfer files in the entire file system of the managed device.

  10. Click Next to display the Security Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default security settings.

    Password Authentication

    Field

    Details

    Enable Password Based Authentication

    Allows the remote operator to use a password to authenticate to the managed device. Select this option to configure the password type settings.

    Minimum Password Length

    Allows you to specify the minimum length for the password. By default, it is 6 characters.

    Session Password

    Select this option to prompt the user on the managed device to set a password before the start of a new remote session. This option is recommended because the password is not stored on the managed device and is valid only for the current session.

    Persistent Password

    Select this option to set the ZENworks and VNC passwords. Setting the ZENworks Password is recommended because it is safer and more secure than the VNC Password. This password can be set by the administrator through the Remote Management policy or by the managed device user from the ZENworks icon. Selecting this option enables the subsequent options.

    To enable the user to set the password through the ZENworks icon, select the Allow user to override default passwords on managed device option.

    ZENworks Password

    To clear the ZENworks password:

    1. Click Clear Password.

    2. Click Apply, then click OK.

    To set the ZENworks password:

    1. Click Set Password.

    2. Enter the password. The maximum length of the password is 255 characters.

    3. Click Apply, then click OK.

    VNC Password

    To clear the VNC password:

    1. Click Clear Password.

    2. Click Apply, then click OK.

    To set the VNC password:

    1. Click Set Password.

    2. Enter the password. The maximum length of the password is 8 characters.

    3. Click Apply, then click OK.

    Intruder Detection

    Field

    Details

    Enable Intruder Detection

    Select this option to enable the detection of invalid or unauthorized attempts to launch a remote session on the managed device. Selecting this option enables the subsequent options in the Intruder Detection section.

    Suspend Accepting Connections After [ ] Successive Invalid Attempts

    Specify the maximum number of consecutive invalid attempts a remote operator can make before the Remote Management service on the managed device is blocked. By default, it is five attempts.

    Automatically Start Accepting Connections After [ ] Minutes

    Specify the time in minutes after which the Remote Management Agent automatically accepts a connection to the managed device. To manually unblock the Remote Management service, double-click the ZENworks Adaptive Agent icon, click Security Settings, then click Enable Accepting Connections if Currently Blocked Due to Intruder Detection. By default, it is 10 minutes.

    Session Security

    Field

    Details

    Enable Session Encryption

    Enables session encryption using SSL encryption (TLSv1 protocol). Selecting this option enables the subsequent options in the Session Security section.

    Allow Connection When Remote Management Console Does Not Have SSL Certificate

    When a remote session is launched from the ZENworks Control Center, a certificate is automatically generated for a remote operator. This certificate is used during authentication. Select this option to allow connections from a Remote Management console launched outside ZENworks Control Center that might not have an SSL certificate.

    Allow up to [ ] levels in Viewer certificate chain

    The Novell rights-based and password-based authentication schemes are played over an SSL encrypted channel. The establishment of this channel requires the viewer to present a certificate. This certificate can be signed by an intermediate or a root certificate authority, thereby creating a certificate chain.

    This property defines the maximum number of levels that are allowed in the viewer's certificate chain. When the ZENworks internal certificate authority is employed (it is installed by default), a two-level viewer certificate chain is automatically created while launching a remote session from ZENworks Control Center.

    Abnormal Termination

    Field

    Details

    Lock Device

    Locks the managed device when the remote session is terminated abnormally.

    Log Off User

    Logs off the user on the managed device when the remote session is terminated abnormally.

  11. Click Next to display the Summary page.

  12. Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, enforcement, status, and which group the policy is a member of.

2.1.3 Configuring the Remote Operator Rights

You can assign rights to a Remote Operator to perform remote sessions on the managed device. The Remote Operator can have device-specific rights as well as user-specific rights.

  1. In ZENworks Control Center, click Configuration.

  2. In the Administrators panel, click the name of the administrator to whom you want to assign the Remote Management rights.

  3. In the Assigned Rights panel, click Add, then click Remote Management Rights to display the Remote Management Rights dialog box.

  4. Select the device or the user to assign the rights.

    The following table contains information on the Remote Management rights:

    Remote Management Rights

    Details

    Remote Control

    Assign the remote operator the rights to remotely control devices

    Remote View

    Assign the remote operator the rights to remotely view devices

    Remote Diagnostics

    Assign the remote operator the rights to remotely diagnose devices. 

    Remote Execute

    Assign the remote operator the rights to remotely execute applications on devices.

    Transfer Files

    Assign the remote operator the rights to transfer files to or from devices.

    Unblock Remote Management Service

    Assign the remote operator the rights to unblock the Remote Management Service that has been locked due to intruder detection.

    NOTE:The Remote Management rights are applicable only for Rights based authentication. However, the remote operator can perform the Remote Management operation using Password based authentication if the Remote Management policy allows.

  5. Click OK.

2.1.4 Configuring the Remote Management Agent Password on a Windows Managed Device

The following sections provide information on configuring the Remote Management password for the Remote Management service on the managed device:

Setting Up the Remote Management Password Using ZENworks Control Center

The Administrator can set a Remote Management password in the Security Settings page while creating a Remote Management policy or after creating the policy.

If you want to set the password while creating the Remote Management policy, see Section 2.1.2, Creating the Remote Management Policy.

To edit the password set in the Remote Management policy:

  1. In ZENworks Control Center, click Policies.

  2. Click the Remote Management policy, then click the Settings tab.

  3. In the Security Settings panel, select the password and replace it with the new password.

  4. Click Apply

  5. Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the passwords on the managed device.

If you want to set the password after creating the Remote Management policy:

  1. In ZENworks Control Center, click Policies.

  2. Click the Remote Management policy, then click the Settings tab.

  3. In the Security Settings panel, select Enable Password Based Authentication, then select Persistent.

  4. Click Set Password and specify the password. If you have already set the password while creating the Remote Management policy, then you can edit the password. To edit the password, select the password and replace it with the new password.

  5. Click Apply

  6. Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the passwords on the managed device.

Setting Up the Remote Management Password Using ZENworks Adaptive Agent

The user at the managed device can set a password for the Remote Management service if the Allow user to override default password on the managed device option is enabled in the Remote Management policy effective on the managed device. This password has precedence over the password set in the Remote Management policy.

To set a password on the managed device:

  1. Double-click the ZENworks Adaptive Agent icon to display the ZENworks Adaptive Agent window.

  2. In the left pane, navigate to Remote Management, then click Security.

  3. In the right pane, click Set Password to set the following passwords:

    • ZENworks password (Recommended): Used in ZENworks authentication. It can be up to 255 characters long.

    • VNC password: Used in VNC authentication for interoperability with open source VNC viewers. It can be up to 8 characters long.

  4. Click OK.

Clearing the Remote Management Password Using ZENworks Control Center

To clear the Remote Management password set using the policy:

  1. In ZENworks Control Center, click Policies.

  2. Click the Remote Management policy, then click the Settings tab.

  3. In the Security Settings panel, select Clear Password then click Apply.

  4. Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the policy on the managed device.

To clear the Remote Management password set by the managed device user:

  1. In ZENworks Control Center, click Policies.

  2. Click the Remote Management policy, then click the Settings tab.

  3. In the Security Settings panel, deselect the Allow User to Override Default Passwords on Managed Device option, then click Apply.

  4. Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the policy on the managed device.

Clearing the Remote Management Password Using ZENworks Adaptive Agent

The user at the managed device can reset the Remote Management password set earlier by him or her.

  1. Double-click the ZENworks Adaptive Agent icon to display the ZENworks Adaptive Agent window.

  2. In the left pane, navigate to Remote Management, then click Security.

  3. In the right pane, click Clear Password to clear the passwords.

  4. Click OK.

The password configured in the policy will be effective as there is no password set by the user.

2.1.5 Starting Remote Management Operations on a Windows Device

The remote operation can be initiated in the following ways:

Initiating a Session from the Management Console

In this scenario, the remote session is initiated by the administrator on the management console. The management console is typically placed within an enterprise network and the managed device can be either within or outside the enterprise network. The following illustration depicts a remote session initiated on the managed device from the management console.

Figure 2-1 Console-Initiated Session on a Windows Device

Console-Initiated Session on a Windows Device

The Remote Management Agent starts automatically when the managed device boots up. A default Remote Management policy is created on the managed device when the device is deployed. You can remotely manage the device using this default policy in rights-based authentication mode only. If you create a new Remote Management policy, the new policy overrides the default policy.

If the ZENworks Management Zone setup is spread across two or more NAT-enabled private networks that are interconnected by a public network, you must deploy DNS_ALG on the gateways of these private networks. DNS_ALG ensures that the DNS lookup queries initiated by the ZENworks components return the correct private address mapped hostname and enables the communication between the management console and the managed devices. For more information on DNS_ALG, refer to DNS ALG RFC - 2694 (http://www.ietf.org/rfc/rfc2694).

If you want to remotely manage a device by using its DNS name, ensure that Dynamic DNS service is deployed in the network.

The remote operator can initiate a session in any of the following ways:

Starting a Remote Management Operation in ZENworks Control Center

You can initiate the various Remote Management operations from the device context or the user context:

Initiating a Remote Management Session from the Device Context

To initiate a Remote Management session on a device

  1. In ZENworks Control Center, click the Devices tab.

  2. Click Servers or Workstations and select the device you want to remotely manage. Click Action, then select the Remote Management operation you want to perform.

    or

    In Device Tasks in the left pane, select the Remote Management operation you want to perform.

    The available remote operations are:

    • Remote Control: Displays the Remote Management dialog box, which lets you perform the Remote Control, Remote View, or Remote Execute operations on the managed device.

    • Remote Diagnostics: Displays the Remote Diagnostics dialog box, which lets you perform a Remote Diagnostics operation on the managed device.

    • Transfer Files: Displays the File Transfer dialog box, which lets you perform a file transfer operation on the managed device.

  3. Fill in the options in the dialog box that displays. The following table contains information on the various options available:

    Field

    Details

    Device

    Specify the host name or the IP address of the device you want to remotely manage.

    Operation

    Select the type of the remote operation you want to perform on the managed device. This option is available only in the Remote Management dialog box.

    Application

    Select the application you want to launch on the device to remotely diagnose. This option is available only in the Remote Diagnostics dialog box.

    Authentication

    Select the mode you want to use to authenticate to the managed device. The authentication modes are:

    • Rights-Based Authentication

    • Password-Based Authentication

    Port

    Specify the port number on which the Remote Management service is listening. By default, the port number is 5950

    Session Mode

    Select one of the following modes for the session:

    • Collaborate: Allows you to launch a Remote Control session and a Remote View session in collaboration mode. This mode is selected by default for the Remote Control operation. If you launch the Remote Control session on the managed device first, then you get the privileges of a master remote operator, which include:

      • Inviting other remote operators to join the remote session.

      • Delegating Remote Control rights to a remote operator.

      • Regaining control from the remote operator.

      • Terminating a Remote Session.

      The consecutive sessions launched are Remote View sessions.

      NOTE:The collaborate mode is not yet supported on Linux.

    • Shared: Allows more than one remote operator to simultaneously control the managed device.

    • Exclusive: Allows you to have an exclusive remote session on the managed device. No other remote session can be initiated on the managed device after a session has been launched in exclusive mode. This mode is selected by default for the Remote View operation.

    This option is available only in the Remote Management dialog box.

    Session Encryption

    Ensures that the remote session is secured by using SSL encryption (TLSv1 protocol).

    Enable Caching

    Enables caching of the remote management session data to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations. This option is currently supported only on Windows.

    Enable Dynamic Bandwidth Optimization

    Enables detection of the available network bandwidth and accordingly adjusts the session settings to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations.

    Enable Logging

    Logs session and debug information in the novell-zenworks-vncviewer.txt file. The system saves the file in the install location of the RM viewer if you launch ZENworks Control Center (ZCC) either through Internet Explorer or through Mozilla FireFox.

    Route Through Proxy

    Enables the remote management operation of the managed device to be routed through a remote management proxy. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy.

    NOTE:The Route Through Proxy option is not yet supported on Linux.

    Fill in the following fields:

    Proxy: Specify the DNS name or the IP address of the remote management proxy. By default, the proxy configured in the Proxy Settings panel to perform the remote operation on the device is populated in this field. You can specify a different proxy.

    Proxy Port: Specify the port number on which the remote management proxy is listening. By default, the port is 5750.

    NOTE:The Remote Management Audit displays the IP Address of the device that is running the remote management proxy and not the IP address of the management console.

    Route Through Join Proxy

    Enables the remote management operation of the managed device to be routed through a Join Proxy server. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a Join Proxy server.

    If the managed device you are trying to remotely control is already connected to the Join Proxy, then the Route Through Join Proxy option is selected by default and the values for the Join Proxy and Join Proxy Port options are populated.

    Join Proxy: If the managed device you are trying to remote control is already connected to the Join Proxy, the DNS name or the IP address of that Join Proxy server is displayed

    Join Proxy Port: If the managed device you are trying to remote control is already connected to the Join Proxy, the port number on which the Join Proxy server is listening is displayed.

    When you try to remote control a managed device using Join Proxy, sometimes the configured server might not be available for Join Proxy to update the connection details in the database. In such a context, Join Proxy does not reject the connection of the managed device, but logs a message and allows you to remote control the managed device by manually entering the Join Proxy details in ZENworks Control Center.

    NOTE:If the Join Proxy IP and Port details are not available in the database for a private network device that is connected to a Join Proxy, you can manually check the Route Through Join Proxy option and specify the Join Proxy IP and Join Proxy Port values. On the other hand if you are trying to launch remote operation without selecting a device and have manually entered an IP address /DNS name, then you need to enter the address and port of the Join Proxy.

    Use the Following Key Pair for Identification

    If an internal certificate authority (CA) is deployed, the following options are not displayed. If an external CA is deployed, fill in the following fields:

    Private Key: Click Browse to browse to and select the private key of the remote operator.

    Certificate: Click Browse to browse to and select the certificate corresponding to the private key. This certificate must be chained to the certificate authority configured for the zone.

    If the certificate contains Enhanced Key Usage section, then the section must contain Client Authentication (1.3.6.1.5.5.7.3.2)

    NOTE:Microsoft Certificate Services provides a number of certificate templates for issuing a certificate. Some of the certificate templates, such as Web Server, might not have the OID specified by default. If such a certificate is provided during the launch of a remote session, the SSL handshake fails. Consequently, the remote session also fails. So, if you are using Microsoft Certificate Services for issuing a certificate, ensure that the certificate template specifies Client Authentication (1.3.6.1.5.5.7.3.2) in the Enhanced Key Usage section.

    The supported formats for the key and the certificate are DER, PEM, and PFX. If the PFX format is used, both the key and the certificate must be available in the same file. You should provide this file as an input for both the key and the certificate.

    Enable Cache Path: Enables the primary key and the certificate paths to be cached on the management console.

    This option is currently supported only on Windows.

  4. Click OK to launch the selected remote operation.

Initiating a Remote Management Session from the User Context

If you want to assist a user by performing a remote session on the managed device where he or she has logged in:

  1. In ZENworks Control Center, click the Users tab.

  2. Click the User Source.

  3. Select the user to remotely manage the device where he or she is logged in.

  4. Click Action, then select the Remote Management operation you want to perform.

    The available operations are:

    • Remote Control: Displays the Remote Management dialog box, which lets you perform the Remote Control, Remote View, or Remote Execute operations on the managed device.

    • Remote Diagnostics: Displays the Remote Diagnostics dialog box, which lets you perform a Remote Diagnostics operation on the managed device.

    • Transfer Files: Displays the File Transfer dialog box, which lets you perform a file transfer operation on the managed device.

  5. Fill in the options in the dialog box that displays. The following table contains information on the various options available:

    Field

    Details

    Device

    Specify the host name or the IP address of the device you want to remotely manage.

    Operation

    Select the type of the remote operation you want to perform on the managed device. This option is available only in the Remote Management dialog box.

    Application

    Select the application you want to launch on the device to remotely diagnose. This option is available only in the Remote Diagnostics dialog box.

    Authentication

    Select the mode you want to use to authenticate to the managed device. The authentication modes are:

    • Rights-Based Authentication

    • Password-Based Authentication

    Port

    Specify the port number on which the Remote Management service is listening. By default, the port number is 5950

    Session Mode

    Select one of the following modes for the session:

    • Collaborate: Allows you to launch a Remote Control session and a Remote View session in collaboration mode. This mode is selected by default for the Remote Control operation. If you launch the Remote Control session on the managed device first, then you get the privileges of a master remote operator, which include:

      • Inviting other remote operators to join the remote session.

      • Delegating Remote Control rights to a remote operator.

      • Regaining control from the remote operator.

      • Terminating a Remote Session.

      The consecutive sessions launched are Remote View sessions.

      NOTE:The collaborate mode is not yet supported on Linux.

    • Shared: Allows more than one remote operator to simultaneously control the managed device.

    • Exclusive: Allows you to have an exclusive remote session on the managed device. No other remote session can be initiated on the managed device after a session has been launched in exclusive mode. This mode is selected by default for the Remote View operation.

    This option is available only in the Remote Management dialog box.

    Session Encryption

    Ensures that the remote session is secured by using SSL encryption (TLSv1 protocol).

    Enable Caching

    Enables caching of the remote management session data to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations. This option is currently supported only on Windows.

    Enable Dynamic Bandwidth Optimization

    Enables detection of the available network bandwidth and accordingly adjusts the session settings to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations.

    Enable Logging

    Logs session and debug information in the novell-zenworks-vncviewer.txt file. The system saves the file in the install location of the RM viewer if you launch ZENworks Control Center (ZCC) either through Internet Explorer or through Mozilla FireFox.

    Route Through Proxy

    Enables the remote management operation of the managed device to be routed through a remote management proxy. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy.

    NOTE:The Route Through Proxy option is not yet supported on Linux.

    Fill in the following fields:

    Proxy: Specify the DNS name or the IP address of the remote management proxy. By default, the proxy configured in the Proxy Settings panel to perform the remote operation on the device is populated in this field. You can specify a different proxy.

    Proxy Port: Specify the port number on which the remote management proxy is listening. By default, the port is 5750.

    NOTE:The Remote Management Audit displays the IP Address of the device that is running the remote management proxy and not the IP address of the management console.

    Use the Following Key Pair for Identification

    If an internal certificate authority (CA) is deployed, the following options are not displayed. If an external CA is deployed, fill in the following fields:

    Private Key: Click Browse to browse to and select the private key of the remote operator.

    Certificate: Click Browse to browse to and select the certificate corresponding to the private key. This certificate must be chained to the certificate authority configured for the zone.

    If the certificate contains Enhanced Key Usage section, then the section must contain Client Authentication (1.3.6.1.5.5.7.3.2)

    NOTE:Microsoft Certificate Services provides a number of certificate templates for issuing a certificate. Some of the certificate templates, such as Web Server, might not have the OID specified by default. If such a certificate is provided during the launch of a remote session, the SSL handshake fails. Consequently, the remote session also fails. So, if you are using Microsoft Certificate Services for issuing a certificate, ensure that the certificate template specifies Client Authentication (1.3.6.1.5.5.7.3.2) in the Enhanced Key Usage section.

    The supported formats for the key and the certificate are DER, PEM, and PFX. If the PFX format is used, both the key and the certificate must be available in the same file. You should provide this file as an input for both the key and the certificate.

    Enable Cache Path: Enables the primary key and the certificate paths to be cached on the management console.

    This option is currently supported only on Windows.

  6. Click OK to launch the selected remote operation.

Starting a Remote Management Operation in Standalone Mode

Before starting the remote management operation in standalone mode, install the Remote Management viewer. For information on installing the viewer, see Section 2.4.1, Installing the Remote Management Viewer.

To start the Remote Management Operation in standalone mode:

  1. Double-click the nzrViewer.exe file to launch the ZENworks Remote Management Client.

  2. In the ZENworks Remote Management Connection window that displays, specify the DNS name or the IP address of the managed device and the port number in the format IP address~~Port. For example 10.0.0.0~~1000.

  3. Specify the DNS name or the IP address of the remote management proxy and the port number in one of the following formats:

    • IP address~~Port. For example 10.0.0.0~~5750.

    • IP address~Port. For example 10.0.0.0~50.

  4. Click Connect.

    On successful authentication, the remote session starts. By default, a Remote Control session is launched.

Starting a Remote Management Operation by Using Command Line Options

Before you launch a Remote Management operation from the command line, install the Remote Management viewer. For information on installing the viewer, see Section 2.4.1, Installing the Remote Management Viewer.

To start the Remote Management operation by using the command line options:

  1. At the command prompt, change to the directory where the viewer is installed. The viewer is by default installed to the <User_Application_Data_Folder>\Novell\ZENworks\Remote Management\bin directory.

  2. Execute the following command:

    nzrViewer [/options <parameters if any>][IP address of the managed device] [~~port]

    The default port for the managed device is 5950.

    For information on the available command line options, see Command Line Options for Launching a Remote Operation.

  3. Click Connect.

    On successful authentication, the remote session starts. If you have not specified the type of remote operation in the command line, a Remote Control session is launched by default.

However, starting a Remote Management operation by using the command line options has the following limitations:

  • If you do not want to specify the key, cert, and CAcert command line options in the nzrViewer command for SSL authentication, ensure that the Allow connection when Remote Management Console does not have SSL certificate option in the security settings of the Remote Management policy is enabled. However, this is not recommended because the security of the device is reduced.

  • If the managed device is a part of the Management Zone, ensure that the certificate presented by the viewer is valid, signed, and chained to the CA, or the SSL authentication fails.

    NOTE:When you launch a remote session from ZENworks Control Center (ZCC), the certificate is automatically generated by ZCC and passed to the viewer to launch the session. The certificate is valid for only four days.

  • The managed device uses the certificate provided by the viewer to identify the remote operator. If the viewer does not provide a certificate, the user is not identified and is recorded as unknown in the permission message, visible signal, and audit logs.

  • You cannot use a standalone nzrViewer.exe with rights-based authentication to remotely control the managed device. To use the standalone nzrViewer.exe for remote management operations, apply a Remote Management policy with password authentication enabled on the managed device.

Initiating a Session from the Managed Device

In this scenario, the remote session is initiated by the user on the managed device. This is useful if the management console cannot connect to the managed device. The following illustration depicts a remote session initiated by the user at the managed device.

Figure 2-2 Agent-Initiated Session

Agent-Initiated Session

The user at the managed device can request a remote operator to perform a remote session on the device if:

  • The remote operator has launched the Remote Management listener to listen to the remote session requests from the user.

  • The Allow user to request a remote session option is enabled in the Remote Management policy.

  • The port at which the Remote Management listener listens for the remote connections must be opened in the management console firewall. The default port is 5550.

To request a session:

  1. Double-click the ZENworks icon in the notification area.

  2. In the left pane, navigate to Remote Management, then click General.

  3. Click Request Remote Management Session to display the Request Session dialog box.

    The ability to request a Remote Management session is controlled by your administrator, which means the option might be disabled, particularly if your company or department does not have dedicated help desk personnel to serve as on-call remote operators. If the Request Remote Management Session option is not displayed as linked text, the option is disabled.

  4. In the Listening Remote Operators list, select the remote operator you want to open the remote session with.

    or

    If the remote operator is not listed, provide the operator’s connection information in the Request Connection fields.

  5. In the Operation field, select the type of operation (Remote Control, Remote View, Remote Diagnostics, File Transfer, or Remote Execute) you want to open.

    For information about each operation, see Section 1.2, Understanding Remote Management Operations.

  6. Click Request to launch the session.

If you want to allow connections to be made from a public network into a private network, deploy the DNS Application Level Gateway (DNS_ALG). For more information on DNS_ALG, refer to RFC 2694.

2.1.6 Enabling the Remote Management Listener

To enable a Remote Management Listener to listen for connections from a managed device:

  1. In ZENworks Control Center, click Devices.

  2. In Device Tasks in the left pane, click Remote Management Listener.

  3. In the Remote Management Listener dialog box, specify the port to listen for the remote connections. By default, the port number is 5550.

  4. Click OK.

    The ZENworks Remote Management Listener icon appears in the notification area.