Novell Doc: ZENworks Endpoint Security Management 4.1 Installation Guide

2.1 Deployment Scenarios

The ZENworks Endpoint Security Management components can be deployed in a consolidated (single server) configuration or a distributed (multiple server) configuration. In addition, a non-directory-service configuration is available that you can use if you do not have a supported directory system (Microsoft Active Directory or Novell® eDirectory™) or if you want to evaluate the product without installing all of the components.

2.1.1 Consolidated Configuration (Single Server)

In a consolidated configuration, you install both the Management Service and the Policy Distribution Service to the same server inside your corporate firewall. The Management Console can be installed on the server or on another machine that has access to the server. Likewise, the SQL database engine can be on the same server or on a dedicated SQL server.

Because the server is inside the firewall, users receive policy updates only when they are inside the firewall or connected via a VPN.

For functional, performance, and security reasons, this configuration is not supported on a Primary Domain Controller (PDC).

To create this configuration, complete the tasks in the following sections:

2.1.2 Distributed Configuration (Multiple Servers)

In a multi-server configuration, you install the Management Service and Policy Distribution Service to different servers. The benefits of this configuration include distributing workload between the servers and supporting external users without requiring a VPN.

You install the Management Service to a server on your internal network so that it is protected by your firewall. This enables it to securely communicate with the directory service and SQL database engine.

Where you install the Policy Distribution Service depends on the location of your users and the security requirements for your network. In the following scenario, the Policy Distribution Service is located outside of the internal network in the DMZ (demilitarized zone). This allows external users to access it without using a VPN. At the same time, internal users can still access it.

If you don’t have external users, or if your external users frequently use VPN to connect to your internal network, you can place the Policy Distribution Service on a server inside your internal network, as shown in the following diagram:

To create this configuration, complete the tasks in the following sections:

2.1.3 Non-Directory Service Configuration

ZENworks Endpoint Security Management requires Microsoft Active Directory or Novell eDirectory as its directory service. If you don’t use one of these directory services, or if you want to evaluate the product without installing all of the ZENworks Endpoint Security Management components, you can use a non-directory service configuration.

The non-directory service configuration, as shown below, employs a standalone Management Console that writes security policies directly to the SQL databases. The SQL engine and databases must be located on the same machine as the Management Console.

The Management Service and Policy Distribution Service are not used in a non-directory service configuration. This means that:

Automated distribution of security policies to devices is not possible. Instead, to distribute security policies, you export the policies from the Management Console and copy them to the device.
Compliance reporting (reporting from the Security Client to the Management Console) is not available.

To create this configuration, complete the tasks in the following sections: