17.3 Setting Up Windows Workstations to Use SSL and Certificates

This section includes information about setting up a Windows 98/NT/2000/XP workstation to use SSL and security certificates. The following sections are included:

17.3.1 Importing a Certificate on the Windows Workstation

If the SSL certificate you want to use was issued by a CA that is not in the trusted root list, you need to install the self-signed certificate from the CA on the workstation. This enables the workstation to trust any certificate issued by the CA. You can do this either before or after you install the Desktop Management Agent.

You can import a certificate on the Windows workstation in a User Account, in a Computer Account or in a Service Account. For additional information about importing a certificate, see “To Import a Certificate” at the Windows XP Professional Product Documentation Web site.

Sample SSL Setup

Use the following steps as an example of how to import a certificate to a workstation:

  1. Verify that SSL is working on the Web server where the ZENworks Middle Tier Server is installed.

    1. Open an HTML browser on the workstation where the ZENworks Desktop Management Agent is installed.

    2. In the browser, use the https protocol to access a secure Web site (https://Middle_Tier_Server_DNS_Name).

      Depending on previous workstation configuration and access to this site, a Security Alert dialog box might display:

      Security Alert dialog box showing a warning status
    3. Do one of the following, depending on whether you have previously accessed this site:

      • If you have not previously accessed the site, the security alert notes three security checks that the browser conducts prior to allowing access to the secure site. The status of the first item should show a warning, and the status of other two items should show a green check mark. If the alert does not match this status, resolve the problem with the certificate before proceeding to Step 2.

      • If you previously accepted the server’s security certificate (that is, you have validated the date and the name of the certificate and you have indicated that you trust the certificate authority), this security alert does not display. This does not mean that the workstation is correctly configured for the Desktop Management Agent. If the agent does not authenticate through the Middle Tier Server (see Step 5), you need to delete the root certificate already on the workstation and then proceed to Step 2.

  2. Verify that the Desktop Management Agent authenticates and is connected through port 80. (The agent login defaults to port 80, so only the DNS name is needed for the Middle Tier Address.)

  3. Import the third-party root certificate to the workstation as a Computer Account.

    Importing the Root Certificate through the browser to the default location is not sufficient for the Desktop Management Agent to find the certificate. The following substeps show an example of how to import a third-party root certificate from a NetWare 6.5 Middle Tier Server to a location where the agent can access it.

    1. As in Step 1, use the https protocol to access a secure Web site (https://Middle_Tier_Server_DNS_Name) to display the Security Alert dialog box.

    2. In the dialog box, click View Certificate, click Certification Path, select Organization CA, then click View Certificate.

    3. Select Install Certificate to launch the Certificate Import Wizard.

    4. In the Certificate Import Wizard, click Next, click Place all certificates in the following store, click Browse, then select the Show physical stores check box.

    5. Scroll to the top of the window and expand the Trusted Root Certification Authorities list item.

    6. Select Local Computer, click OK, click Next, and then click Finish.

  4. Test the import by closing and reopening the browser and going to the https://Middle_Tier_Server_DNS_Name Web site.

    No Security Alert dialog box should display. If the security alert does display, you might have a problem with the Web server and SSL.

  5. Configure the Desktop Management for SSL and verify that the agent is able to authenticate the user.

    1. Add :443 to the Middle Tier Server’s DNS name. For example:

      You might need to use regedit.exe to change the settings for the Middle Tier Server if the Desktop Management Agent is configured to not allow Middle Tier address changes.

    2. Reboot the workstation as needed.

17.3.2 Configuring the Desktop Management Agent to Query for the Certificate

When the Desktop Management Agent installation program requires an entry for the IP address or DNS name of the Middle Tier Server, you need to enter the common name you used when you created the Certificate Request. For more information, see Step 5.f.