Cool Solutions

Configuring Proxies for Hybrid Domains within ZENworks Mobile Workspace



By:

September 26, 2018 3:52 pm

Reads:364

Comments:0

Score:Unrated

Print/PDF

This document provides information on how to configure proxies for hybrid domains within ZENworks Mobile Workspace (ZMW). In this scenario, one domain is created for an on-premises mail server and the other for an Office 365 mail server, located in the cloud.

To connect ZMW (located in a DMZ), with the mail server (located in a private network) and the Office 365 server (located in the cloud), the following proxies need to be configured within the private network:

  • NGINX proxy: This proxy is configured to connect ZMW with the mail server (GroupWise/Exchange).
  • LDAP proxy: This proxy is configured to connect ZMW with the mail server (GroupWise/Exchange) LDAP user source and the Office 365 LDAP user source, both located within the private network.

The image below depicts the communication channel for the ZMW server, and its hybrid domains. The blue arrows indicate the communication channel for the Office365 domain with the on-premises LDAP user source and the mail server located in the public network. The grey arrows indicate the communication channel for the domain that is configured with the mail server and the LDAP user sources located in a private network.

 

Prerequisites

  • The NGINX proxy should be installed. For information on how to install the NGINX proxy, click here.
  • The NetIQ LDAP proxy should be installed. For information on how to install the NetIQ LDAP proxy, click here.
  • The ZMW server should be configured such that it is able to communicate with the respective proxy servers on the designated ports.
  • The SSL ports 443 (mail server SOAP request to Office 365 Server and NGINX) and 636 (LDAPS communication) should be open for the ZMW server to communicate with devices running the proxy service.

Configuring the Nginx Proxy

For ZMW to communicate with the on-premises mail server (GroupWise or Exchange) the NGINX proxy should first be configured.

To configure the NGINX proxy, refer to the Configuring the NGINX Proxy section in the following Cool Solution: https://www.novell.com/communities/coolsolutions/configuring-proxies-zenworks-mobile-workspace-groupwise-server-ldap-source/

Configuring the LDAP Proxy

To route the requests between the GroupWise and Office365 user sources, you need to configure the LDAP proxy. Hence, a search policy has to be defined with conditions and actions considering the filter attributes to route the connections appropriately. To configure the LDAP proxy, you need to modify the following configuration settings within the nlpconf.xml file:

Configuring the Listeners 

Listeners are the network interfaces on which LDAP proxies listen for incoming requests. Using the proxy you can configure any number of listeners to listen on multiple interfaces. Here, in the following example snippet, two connection route policies are defined for the two LDAP sources, one in the GroupWise domain and the other in the Office365 domain.

To configure a listener on a secure port:

  1. Configure the LDAP proxy listener with an X.509 certificate.
  2. Export the library path by using the /opt/novell/ldapproxy/bin/nlppath
  3. Import the certificates and keys present in the PKCS#12 files by using the nlpcert utility: nlpcert -i ldap_proxy_cert.pfx -o private-cert.pem
  4. Copy the private-cert.pemfile to the /etc/opt/novell/ldapproxy/conf/ssl/private/ directory and ensure that the content within the xml is as follows:

For more information about Listeners click here.

Configuring the Back- End Server

A back end server is a directory server to which the LDAP proxy server is connected.

To configure a back end server on a secure port:

  1. Obtain the root CA certificate in the pem format and copy it to the following location: /etc/opt/novell/ldapproxy/conf/ssl/trustedcert/
  2. Replace x.x.x.x within the <addr-ipv4> tags with the LDAP server IP address and ensure that the content within the  xml file is as follows:

For more information about back-end servers click here 

Listing Back- End Server groups

This section lists all the back end server groups configured for the proxy. Ensure that the content within the nlpconf.xml file is as follows:

Configuring Connection Route Policy

A Connection Route policy defines where the LDAP proxy must route the incoming connections.

To configure a Connection Route policy for different LDAP sources (Example: eDirectory and Active Directory) with search filters, ensure that the content within the nlpconf.xml file is as follows:

 <list-policy>
  <policy-search-request id-policy="ad_search" disabled="false">
   <rule>
    <conditions>
     <or>
      <if-srch-filter filter-type="equality-match" op="equal">
       <filter-attribute match="case-ignore">sAMAccountName
                                         </filter-attribute>
      </if-srch-filter>
      <if-srch-filter filter-type="equality-match" op="equal">
       <filter-attribute match="case-ignore">userPrincipalName
                                           </filter-attribute>
      </if-srch-filter>
     </or>
    </conditions>
    <actions>
     <do-modify-search>
      <base op="replace">OU=REGION,OU= USES,DC=COMPANY,DC=COM</base>
     </do-modify-search>
    </actions>
    <actions-default>
     <do-allow/>
    </actions-default>
   </rule>
  </policy-search-request>
  <policy-connection-route id-policy="groupwise-conn-route-policy" 
             disabled="false" moddncache-enabled-for-bind="false">
   <rule>
    <comment>
     Route all connections to the groupwise-backend-grp
    </comment>
    <conditions>
     <if-bind-dn-container match="case-ignore" op="equal">
                          o=COMPANY</if-bind-dn-container>
    </conditions>
    <actions>
     <do-use-route>
      <ref-load-balancer>groupwise-backend-grp</ref-load-balancer>
     </do-use-route>
    </actions>
    <actions-default>
     <do-nothing/>
    </actions-default>
   </rule>
  </policy-connection-route>
  <policy-connection-route id-policy="office365-conn-route-policy"
             disabled="false" moddncache-enabled-for-bind="false">
   <rule>
    <comment>
     Route all connections to the office365-backend-grp
    </comment>
    <conditions>
     <if-bind-dn-container match="case-ignore" op="not-equal">
                              o=COMPANY</if-bind-dn-container>
    </conditions>
    <actions>
      <do-use-route>
       <ref-policy>ad_search</ref-policy>
       <ref-load-balancer>office365-backend-grp</ref-load-balancer>
      </do-use-route>
    </actions>
    <actions-default>
     <do-nothing/>
    </actions-default>
   </rule>
  </policy-connection-route>
 </list-policy>

For more information about Policies click here.

Save the nlpconf.xml file and restart the nlpd service.

To verify if the configuration are successful:

  1. Configure ZENworks Mobile Workspace LDAP with the LDAP proxy, that is company.com, and verify if the authentication is successful.
  2. In ZENworks Mobile Workspace, navigate to Domain >PIM and select the server type as Microsoft Exchange.
  3. Specify outlook.office365.com as the server address and complete the remaining fields.
  4. Enroll a device to ZENworks Mobile Workspace and check if mails are being received. To check the second domain, in ZENworks Mobile Workspace, navigate to Domain >PIM and add the NGINX proxy hostname, that is, NGINX_proxy.company.com, as the GroupWise server.
  5. Enroll a device to ZENworks Mobile Workspace and check if mails are being received.

 

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Tags: , , , ,
Categories: Collaboration, Endpoint Security, IT Operations Management, Mobile, Mobility, Security, Technical, Unified Endpoint Management, ZENworks, ZENworks Mobile Workspace

0

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS