The information in the following sections help you in setting up security for the Remote Management sessions:
To configure the Remote Management policies, you must perform the following tasks:
You can also change the security settings on the managed servers by modifying the [Remote Management Policy] section in the ZENworks_agent_directory\rmagent\zfsrcpol.ini file.
ZENworks 7 requires policy packages in the eDirectory tree that can hold the server policies. You can later configure and enable the server policies.
Policy packages are eDirectory objects that contain collections of policies grouped according to the object types. You should create an Organizational Unit (OU) for holding the policy packages. Consider the following when determining where to place this OU:
Whether you have partitions in your tree
The 256-character limit in eDirectory for the full distinguished name
How you will use the Search policy to locate the policy package
If you install ZENworks 7 Desktop Management to your tree, you may want to keep the ZENworks Server Management and Desktop Management policies in separate containers, such as Server_Policies and Desktop_Policies.
For Remote Management, create two containers, one for Tiered Electronic Distribution objects and the other for the Remote Management policy package.
To create a container:
In ConsoleOne, right-click the container where you want the container for the policy packages placed.
Click
> > > .Name the container, for example, Server_Policies, then click
.IMPORTANT:If you have partitions that are accessed across a WAN, make sure that the Policy Package objects are in the same partition as the Server object so that the Policy/Package Agents are loaded. Also make sure that the Search policy does not require searching outside the partition where the Server object exists.
For Remote Management, you must create the Distributed Server package. The Distributed Server package is required to distribute the Remote Management policies among the managed servers for enforcement.
To create the Distributed Server package:
In ConsoleOne, right-click the policy package's container, then click
> .The Policy Package Wizard is displayed.
In the
list, select , then click .Enter a name for the Distributed Server Package, then click
, then click .For Remote Management, you must create and configure the following Tiered Electronic Distribution objects:
TED Distribution
TED Channel
To create and configure the Tiered Electronic Distribution objects, see Section 3.0, Tiered Electronic Distribution.
The Server Remote Management Policy defines the behavior of the Remote Management Agent. This policy is distributed to the specified Windows managed servers using the Tiered Electronic Distribution, which helps the remote operator to associate the Remote Management policy to a group of Windows managed servers from the management console.
To configure the Server Remote Management Policy:
In ConsoleOne, right-click the Distribute Server Package object, then click
.Click the
tab and select the sub-option.Select the check box under the
column for the Server Remote Management Policy.Click the
button > the tab.Click the
tab, then select the any of following options:Enable Session Encryption: Encrypts the Remote Control and Remote View sessions. The Remote Operator cannot change this to an unencrypted mode. If you do not select this check box, the remote sessions are unencrypted by default. In this case, the Remote Operator has an option to switch over to the encrypted mode from the Console. An encrypted session slightly impacts the performance of remote sessions over fast links.
IMPORTANT:This option does not work for ZENworks for Servers 3.x and earlier versions of the Remote Management Agent.
Allow User to Request Remote Session: Enables the user at the managed server to request the Remote Operator on the management console to perform a remote session.
IMPORTANT:This option does not work for ZENworks for Servers 3.x and earlier versions of the Remote Management Agent.
Display Remote Management Agent Icon To Users: Displays the
icon in the system tray of the Windows 2000 or Windows 2003 managed servers on which the Remote Management Agent is running.Click the
tab, then select the any of following options:Prompt User for Permission to Remote Control: Allows the user at the managed server to either accept or reject the Remote Control session initiated by the remote operator.
Give User Audible Signal when Remote Controlled: Generates an audible signal on the managed server every time the remote operator remote controls the managed server. You can modify the time interval as to when you want the audible signal should be generated.
Give User Visible Signal when Remote Controlled: Displays a visible signal with the name of the remote operator and console machine on the managed server every time the remote operator remote controls the managed server. You can modify the time interval as to when the name should be displayed.
Allow Blanking User's Screen: Allows the remote operator to blank the screen of the managed server during a remote control session and also locks the mouse and keyboard controls.
Allow Locking User's Keyboard and Mouse: Allows the remote operator to lock the keyboard and mouse controls of the managed server during a remote control session.
Click the
tab, then select the any of following options:Prompt User for Permission to Remote View: Allows the user at the managed server to either accept or reject the Remote View session initiated by the remote operator.
Give User Audible Signal when Remote Viewed: Generates an audible signal on the managed server every time the remote operator remotely views the managed server. You can modify the time interval as to when you want the audible signal should be generated.
Give User Visible Signal when Remote Viewed: Displays a visible signal with the name of the remote operator and console machine on the managed server every time the remote operator remotely views the managed server. You can modify the time interval as to when the name should be displayed.
Click
, then click .Right-click the Server Remote Management Policy, then select
.Modify the schedule.
Click
, then click .To associate the Server Remote Management Policy with a managed server, click the
tab.Click
.Browse for and select the Distribution object, then click
.Click
, then click .You must configure the Distribution object for distributing the Remote Management policies.
To configure the Distribution object:
In ConsoleOne, right-click the Distribution object, then click
.Click the
tab.Select Policy Package from the
drop-down list.Click
, then select the Distributed Server package that has the Server Remote Management Policy.Click the
tab.Modify the schedule.
Click
, then click .To configure the Distributor and the Subscriber objects, see Section 3.0, Tiered Electronic Distribution.
If the managed servers are residing on a different eDirectory tree or the Windows 2000/2003 server does not have the eDirectory installed, you must create and configure an External Subscriber object for sending Distributions to Subscribers residing on managed servers in other trees. For more information on External Subscribers, see Section 3.8, External Subscribers.
The user at the managed server can change the password of the Remote Management Agent to make sure that the Remote Management sessions are secure.
WARNING:There is a known security vulnerability in using Password-Based authentication. For more information on the vulnerability, see TID 7006557 in the Novell Support Knowledgebase.
To change the agent password:
Right-click the
icon from the system tray of the Windows 2000/2003 managed server.Click
> .Use a password of ten or fewer ASCII (non-extended) characters. The password is case-sensitive and cannot be blank.
The new password must be communicated to the remote operator each time it is changed.