3.0 Performing a Single-Server Installation

ZENworks® Endpoint Security Management Single-Server Installation (SSI) allows both the Policy Distribution Service and the Management Service to co-exist on the same server, which is not possible without using this installation option. The server must be deployed inside the firewall for security purposes, requiring users to receive policy updates only when they are inside the corporate infrastructure or connected via a VPN.

Deployment of the Single-Server Installation on a Primary Domain Controller (PDC) is not supported for both security and functionality reasons.

NOTE:It is recommended that the SSI Server be configured (hardened) so as to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment, and so cannot be described in advance. Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage. Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide.

To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs. Reference the articles below:

For security purposes, it is highly recommended that the following default folders be removed from any IIS installation:

  • IISHelp

  • IISAdmin

  • Scripts

  • Printers

We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com.

Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If in doubt, the Dynamic Web server template is recommended.

Ensure that the following prerequisites are in place prior to beginning the installation: