ZENworks 11SP3 Remote Management - Join Proxy

February 2014

Typically when you want to remote control a device that is in private network or on the other side of a firewall or router that is behind NAT (Network Address Translation), you need to install a remote management proxy server on the same NAT environment that the device is in. This requires an interface machine. This is difficult in a situation when a managed device is moved out of the zone to home. Because each individual home is a NAT environment and you cannot have a single remote management proxy for devices across different NAT environments.

However the Join Proxy satellite server allows multiple Windows devices that are in a private network on the other side of a firewall or router that is behind NAT (Network Address Translation) to connect to it for remote management operations.

Join Proxy is a proxy that joins two connections together. The first connection being the one that the managed device maintains with the proxy server while the second one is the connection that comes from the viewer machine of the administrator.

1.0 Prerequisites

2.0 Configuring the Join Proxy Role

In ZENworks, Join Proxy is a role that is typically assigned to the Primary Servers while you can also assign this role to Satellites.

You can add Join Proxy role to a ZENworks 11SP3 Windows or Linux managed device to make it a Join Proxy server for performing remote management operations on Windows managed devices that are in a private network.

As part of configuration, you need to perform the following:

2.1 Assigning Join Proxy Role to a Device

In ZENworks Control Center, first select a device for which you want to assign the Join Proxy role. You can choose either a Primary Server or a Satellite as the Join Proxy. If you select a Primary Server, there is no need to further configure the server. If you plan to use a Satellite, then you need to assign the Join Proxy role to the Satellite server using the following steps

  1. In ZENworks Control Center click Devices> Servers or Workstations.

  2. In the Servers or Workstations panel, select the check box for the Satellite that you want to configure.

  3. Click Action > Configure Satellite Server.

  4. In the Configure Satellite Server dialog box, select the check box next to Join Proxy, then click Configure.

  5. In the Join Proxy Role Settings dialog box, specify the Port on which the Join Proxy listens for connection. The default port number is 7019.

    NOTE:This is required only if the Join Proxy is running a firewall or is behind a network firewall.

  6. Specify the maximum number of devices to be allowed to connect to the Join Proxy. The default value is 100, but you can change it to any value up to 100.

  7. Specify the frequency interval at which the Join Proxy should check if the devices are still connected to it or not. The default value is one minute.

    If you specify a lower value in this field, status updates are quicker in the database. However, this might result in higher traffic on the network, depending upon the number of devices connected to the Join Proxy.

    NOTE:Based on the frequency specified here, Join Proxy will send packets to all the managed devices connected to it to detect the connection status and update it in the database. This enables remote operators to connect to managed devices through Join Proxy for performing remote sessions on Windows managed devices that are in a private network.

  8. Click Ok to return to the Configure Satellite Server dialog box.

For details on Satellite Roles, seeUnderstanding the Satellite Roles in ZENworks 11 SP3 Primary Server and Satellite Reference.

2.2 Creating Locations

After assigning the Join Proxy role to the device, you need to create a location by providing a location name and then associate the desired network environments with the location. For details, seeCreating Locationsin ZENworks 11 SP3 Location Awareness Reference.

2.3 Associating Join Proxy to the Created Locations

After creating the location, You also need to configure the Join Proxy Closest Server rules for the location and network environment so that the managed device connects to the closest Join Proxy servers defined for them in the location. You need to modify the list of the closest servers for the location or locations in which you want to use a Join Proxy. Typically at least the unknown location is configured to use a Join Proxy.

For details, seeAdding Closest Servers to Locations in ZENworks 11 SP3 Location Awareness Reference.

  1. In ZENworks Control Center, click the created location and click the Servers tab

  2. Click Add in the Join Proxy Servers list.

  3. In the Select Join Proxy Servers dialog, click either Servers or Workstations to select a device or a server.

    You can choose either a Primary Server or a Satellite as the Join Proxy. If you select a Primary Server, there is no need to further configure the server. For more details, see

  4. Click OK. The selected servers get listed under Join Proxy servers.

  5. Click Move Up or Move Down as necessary to change its order in the list.

  6. Click Apply.

2.4 Refreshing the Managed Device to View New Closest Servers List

You need to refresh the managed device after associating the Join Proxy to the locations, so that the device reads the new closest servers list. You will be able to see the Join Proxy server(s) in the ZENworks Agent status page, if the managed device is already in a location which has a Join Proxy configured.

For details, seeViewing the Agent’s Status and Viewing the Closest Server Detailsin Novell ZENworks 11 SP3 Adaptive Agent Guide.

3.0 Remote Controlling the Managed Device - Join Proxy

Once you have enabled Join Proxy and configured the agent to use the Join Proxy in specific locations, you can start remotely managing the devices through the Join Proxy.

  1. In ZENworks Control Center, select the device that you want to remote control.

  2. Select Actions > Remote Control.

  3. Click the More Options link to get to the Join Proxy related fields. These are populated by default.

    NOTE:If the managed device you are trying to remotely control is already connected to the Join Proxy, then the Route Through Join Proxy option is selected by default and the values for the Join Proxy and Join Proxy Port options are populated.

    Alternatively, if you are trying to launch remote operation without selecting a device and have manually entered an IP address /DNS name, then you need to enter the address and port of the Join Proxy.

  4. Click OK to initiate the remote session.

During the connection negotiation, initial connection is made with the Join Proxy. Thus by deploying the Join Proxy satellite or Primary Server in the demilitarized zone (DMZ), you can now remotely manage Windows devices regardless of whether they are behind one or more NATs.

4.0 Workflow Diagram