This server should be accessible only when users enter a controlled network environment, to help assure they are indeed in the environment the ZENworks® Security Client has identified. Instructions on configurations for failover and redundancies are found below. Client Location Assurance Service (CLAS) can be deployed on the same server hosting the Single Server Installation or multi-server Management Service installation, if desired.
Install the CLAS onto a server that endpoints will only be able to detect when they are in the network environment that requires cryptographic verification.
Deployment of the CLAS on a Primary Domain Controller (PDC) is not supported for both security and functionality reasons.
NOTE:It is recommended that the SSI Server be configured (hardened) so as to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment, and so cannot be described in advance. Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage. Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide.
To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs. Reference the articles below:
For security purposes, it is highly recommended that the following default folders be removed from any IIS installation:
IISHelp
IISAdmin
Scripts
Printers
We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com.
Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If in doubt, the Dynamic Web server template is recommended.
Make certain the following pre-requisites are in place prior to beginning the installation:
Ensure Management Service (MS) to Policy Distribution Service (DS) server name resolution: make sure that the target computer where the MS is installed can ping the DS server name (NETBIOS if the DS is configured inside the network firewall or FQDN if installed outside in the DMZ).
Enable or install Microsoft Internet Information Services (IIS), and ensure ASP.NET is enabled.
IMPORTANT:Do not enable the check box on the Secure Communictions page (in the Microsoft Computer Management utility, expand > expand > expand > right-click > click > click the tab > click the button in the Secure communications group box). Enabling this option breaks the communication between the ZENworks Endpoint Security Management server and the ZENworks Endpoint Security client on the endpoint.
Click from the Installation Interface menu. The CLAS installation begins.
At launch, the installer verifies that all required software is present on the server. If any software is absent, the software is installed automatically before the installation continues to the Welcome Screen (license agreements for the additional software may need to be accepted). If Microsoft Data Access Components 2.8 are not installed, the server needs to reboot following that installation, before ZENworks Endpoint Security Management installation can continue. If you are using Windows 2003 Server, ASP.NET 2.0 is configured to run by the installer.