21.3 Device Management

21.3.1 Internal Device Management

Description

Internal devices are those devices physically located within your internal network perimeter or devices that have a VPN connection to your internal network.

Recommendation

For best security, internal ZENworks-managed devices should not be allowed to access the DMZ Primary Server. You should restrict access by hiding the DMZ server’s internal IP addresses from the internal devices. Hiding the internal IP addresses ensures that the server is not included in the closest server lists for any of the roles (configuration, collection, content, etc.) and is therefore unreachable by internal devices.

How to Secure Access

For detailed instructions, see Configuring Restricted Access to a ZENworks Server in the ZENworks Primary Server and Satellite Reference. Use the instructions to restrict access to any of the server’s internal addresses so that they are not advertised to devices.

21.3.2 Client Webservices

Description

These are the Tomcat webapps used for device management. For example, the ZENworks agent pulls down assignments, settings, and policies using these services.

The Client Webservices are used by the ZENworks agent on traditional Windows, Mac, and Linux client. To control access by MDM clients, see MDM Endpoint Services.

Service

ZENworks Server (Tomcat)

ZENworks Server (JSON)

Port

443 and 80

Recommendation

The Client webservices run on secure port 443.

For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the webservices only accept authenticated communication (via authentication headers) from the ZENworks agent.

If this is not sufficiently secure, you can block access to individual webservices that provide functionality not being used by the ZENworks agent.

How to Secure Access

To control individual web service level security, refer to the Controlling Agent Web Services section.

Additionally, you can use the Tomcat Remote Address Filter to block access to any unused Client Webservices.

  1. On the ZENworks server, go to the WebApps directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps

    Linux: /opt/novell/zenworks/share/tomcat/webapps

  2. List all Webservices that are not ZCC-related or end in *admin. These are the Client Webservices.

  3. Modify the <service>/WEB-INF/web.xml file each Client Webservice to add a Tomcat Remote Address Filter that denies access to external IP addresses.

    For details about how to do this (and explanation of an alternate method), see Admin Webservices.

    (Optional) If you want, you can allow access to internal addresses so that the ZENworks DMZ Server can manage internal devices. However, this is not recommended.

  4. Restart the server services.

Notes:

  • Webservice configuration changes are lost whenever a system update is applied to the ZENworks server. You must reconfigure the webservices after the system update.

  • Be aware that denying access to some Client Webservices but not others can result in users receiving unexpected error messages related to denied services.

21.3.3 Registration

Description

This is the Tomcat webservice that enables new devices to register to the ZENworks Management Zone.

Service

ZENworks Server (Tomcat)

Port

443

Recommendation

If you need to register external devices, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, only authorized devices can register through the server.

If you don’t need to register external devices, disabling this webservice in combination with disabling ZENworks Download (zenworks-setup) ensures that no devices can use the DMZ server to register.

How to Secure Access

Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers.

or

Use the Registration webservice configuration file to disalllow registration.

  1. On the ZENworks server, go to the following directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps/zenworks-registration/WEB-INF

    Windows: \novell\zenworks\share\tomcat\webapps/zenworks-registration/WEB-INF

  2. In the config.xml file, change the <AllowNewRegistration> setting to false:

    <AllowNewRegistration>false</AllowNewRegistration>

  3. Restart the server services.

21.3.4 Content Service

Description

 

Service

ZENserver (Tomcat)

Port

443

Recommendation

ZENworks content is encrypted (SSL) when a Primary Server transfers it to another Primary Server, to a Satellite, or to a managed device.

For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the Content Service only accepts authenticated communication (via authentication headers) from the ZENworks agent.

If this is not sufficiently secure, you can disable the Content Service on the ZENworks DMZ Server and require managed devices to periodically connect to your internal network via VPN to receive content updates.

How to Secure Access

Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers.

If you want to stop ZENworks managed devices from accessing content (note that this does not stop attacks against the services), remove the ZENworks DMZ Server from the Unknown location’s list of available Content servers:

  1. In ZCC, click Configuration > Locations to display the Locations list.

  2. In the Locations list, click Unknown, then click the Servers tab.

  3. Turn on the Exclude the Closest Server Default Rule option.

  4. In the Content Servers list, remove the ZENworks DMZ Server.

If you want to disable access to the Content Service (to block all attacks against the service), use the Tomcat Remote Address Filter to block access to the zenworks-contentservice and zenworks-content webservices.

  1. On the ZENworks server, go to the WebApps directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps

    Windows: \novell\zenworks\share\tomcat\webapps

  2. Modify the zenworks-contentservice/WEB-INF/web.xml and zenworks-content/WEB-INF/web.xml files to add a Tomcat Remote Address Filter that denies access to external IP addresses.

    For details about how to do this (and explanation of an alternate method), see Admin Webservices.

    (Optional) If you want, you can allow access to internal addresses so that the ZENworks DMZ Server can manage internal devices. However, this is not recommended.

  3. Restart the server services.

Notes:

  • Webservice configuration changes are lost whenever a system update is applied to the ZENworks server. You must reconfigure the webservice after the system update.

Description

This is the Tomcat Client webservice that streams content files (bundles, policies, patches, and system updates) from the ZENworks server to the managed device.

Service

ZENserver (Tomcat)

Port

80

Recommendation

ZENworks content is transferred in the clear (no SSL). However, all content other than patch bundles and system updates is automatically encrypted during bundle creation unless the creator turned of the default encryption. Patch bundles and system update content do not contain sensitive data.

If this is not sufficiently secure, you can disable the Content Service on the ZENworks DMZ Server and require managed devices to periodically connect to your internal network via VPN to receive content updates.

How to Secure Access

If you want to stop ZENworks managed devices from accessing content (note that this does not stop attacks against the services), remove the ZENworks DMZ Server from the Unknown location’s list of available Content servers:

  1. In ZCC, click Configuration > Locations to display the Locations list.

  2. In the Locations list, click Unknown, then click the Servers tab.

  3. Turn on the Exclude the Closest Server Default Rule option.

  4. In the Content Servers list, remove the ZENworks DMZ Server.

If you want to disable access to the Content Service (to block all attacks against the service), use the Tomcat Remote Address Filter to block access to the zenworks-contentservice and zenworks-content webservices.

  1. On the ZENworks server, go to the WebApps directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps

    Windows: \novell\zenworks\share\tomcat\webapps

  2. Modify the zenworks-contentservice/WEB-INF/web.xml and zenworks-content/WEB-INF/web.xml files to add a Tomcat Remote Address Filter that denies access to external IP addresses.

    For details about how to do this (and explanation of an alternate method), see Admin Webservices.

    (Optional) If you want, you can allow access to internal addresses so that the ZENworks DMZ Server can manage internal devices. However, this is not recommended.

  3. Restart the server services.

Notes:

  • Webservice configuration changes are lost whenever a system update is applied to the ZENworks server. You must reconfigure the webservice after the system update.

21.3.5 Collection Service

Description

This is the Client webservice that uploads inventory, audit, and message files from managed devices to the ZENworks server.

Service

ZENworks Server (Tomcat)

Port

443

Recommendation

ZENworks collection data is encrypted (SSL) when it is transferred between a managed device’s ZENworks agent and the Collection Server (Primary Server or Satellite).

For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the Content Service only accepts authenticated communication (via authentication headers) from the ZENworks agent.

If this is not sufficiently secure, you can disable the Collection Service on the ZENworks DMZ Server and require managed devices to periodically connect to your internal network via VPN to upload collection data.

How to Secure Access

Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers.

or

If you want to stop ZENworks managed devices from uploading inventory, audit, and message data to the server (note that this does not stop attacks against the service), remove the ZENworks DMZ Server from the Unknown location’s list of available Collection servers:

  1. In ZCC, click Configuration > Locations to display the Locations list.

  2. In the Locations list, click Unknown, then click the Servers tab.

  3. Turn on the Exclude the Closest Server Default Rule option.

  4. In the Collection Servers list, remove the ZENworks DMZ Server.

If you want to disable access to the Collection Service (to block all attacks against the service), use the Tomcat Remote Address Filter to block access to the zenworks-fileupload webservice.

  1. On the ZENworks server, go to the WebApps directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps

    Windows: \novell\zenworks\share\tomcat\webapps

  2. Modify the zenworks-fileupload/WEB-INF/web.xml file to add a Tomcat Remote Address Filter that denies access to external IP addresses.

    For details about how to do this (and explanation of an alternate method), see Admin Webservices.

    (Optional) If you want, you can allow access to internal addresses so that the ZENworks DMZ Server can manage internal devices. However, this is not recommended.

  3. Restart the server services.

Notes:

  • Webservice configuration changes are lost whenever a system update is applied to the ZENworks server. You must reconfigure the webservices after the system update.

21.3.6 Authentication Service

Description

This is the Client webservice that authenticates managed devices (end users) to ZENworks.

Service

ZENworks Server (Tomcat)

Port

443 and 2645

Recommendation

For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the Authentication Service only accepts authenticated communication (via authentication headers) from the ZENworks agent.

If your ZENworks system does not use User Authentication, we recommend that you disable this webservice.

If you do use User Authentication, the authentication occurs on Tomcat secure port 443. To provide additional security, you should block inbound connections on port 2645 (see Authentication Port (2645)).

How to Secure Access

Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers.

or

If you want to stop ZENworks managed devices from authenticating (note that this does not stop attacks against the service), remove the ZENworks DMZ Server from the Unknown location’s list of available Authentication servers:

  1. In ZCC, click Configuration > Locations to display the Locations list.

  2. In the Locations list, click Unknown, then click the Servers tab.

  3. Turn on the Exclude the Closest Server Default Rule option.

  4. In the Authentication Servers list, remove the ZENworks DMZ Server.

If you want to disable access to the Authentication Service (to block all attacks against the service), use the Tomcat Remote Address Filter to block access to the CasaAuthTokenSvc webservice.

  1. On the ZENworks server, go to the WebApps directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps

    Windows: \novell\zenworks\share\tomcat\webapps

  2. Modify the CasaAuthTokenSvc/WEB-INF/web.xml file to add a Tomcat Remote Address Filter that denies access to external IP addresses.

    For details about how to do this (and explanation of an alternate method), see Admin Webservices.

    (Optional) If you want, you can allow access to internal addresses so that the ZENworks DMZ Server can manage internal devices. However, this is not recommended.

  3. Restart the server services.

Notes:

  • Webservice configuration changes are lost whenever a system update is applied to the ZENworks server. You must reconfigure the webservices after the system update.

21.3.7 Authentication Port (2645)

Description

Additional Tomcat port that is used by Windows managed devices for authentication.

Service

External Casa

Port

2645

Recommendation

Disable inbound connections on this port. Allowing inbound connections exposes all existing services (not just the Authentication service) to external attacks. When the port is blocked, authentication takes place through Tomcat port 443.

How to Secure Access

Configure the firewall to prevent inbound traffic on this port from external addresses.

21.3.8 MDM Endpoint Services

Description

These are the Tomcat Client Webservices used for mobile device management. This includes ActiveSync and ZENworks End User Portal access.

Service

ZENworks Server (Tomcat)

Port

443 and 80

Recommendation

If you are not using ZENworks to manage mobile devices, disable these Client webservices.

If you are managing mobile devices, these Client webservices use secure port 443. If this is not sufficiently secure, you can restrict access to specific IP addresses or ranges of addresses.

How to Secure Access

To completely disable the MDM Endpoint Services, use the Tomcat Remote Address Filter to block access to the endpoint webservice:

  1. On the ZENworks server, go to the WebApps directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps

    Windows: \novell\zenworks\share\tomcat\webapps

  2. Modify the endpoint/WEB-INF/web.xml file to add a Tomcat Remote Address Filter that denies access to external IP addresses.

    For details about how to do this (and explanation of an alternate method), see Admin Webservices.

    (Optional) If you want, you can allow access to internal addresses so that the ZENworks DMZ Server can manage internal devices. However, this is not recommended.

  3. Restart the server services.

To restrict access to specific IP addresses, use the MDM Server access control settings to specify the IP addresses:

  1. In ZCC, click Configuration > Management Zone Settings > Infrastructure Management > MDM Servers.

  2. In the MDM Servers list, locate the ZENworks DMZ Server.

  3. In the Access Control column for the server, click to display the Configure Endpoint Access dialog.

  4. In the IP Address / Range list:

    1. At the top of the list, insert an entry that includes all IP addresses (in regular or CIDR format) of devices to which you want to allow access, then select Allow as the access.

    2. Change the --ALL-- entry to Deny access. This denies access to any devices not allowed by the first entry.

For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference.

21.3.9 Remote SSH Service

Description

The Tomcat Client webservice that serves the JNLP files required when using Remote Management to remote SSH to Linux Servers.

Service

ZENworks Server (Tomcat)

Port

443

Recommendation

Remote Management can be performed from any ZENworks Server. You should not use the ZENworks DMZ Server to perform remote management of devices.

Disable access to both internal and external addresses.

How to Secure Access

Use the Tomcat Remote Address Filter to block access to the zenworks-remote-ssh webservice.

  1. On the ZENworks server, go to the WebApps directory:

    Linux: /opt/novell/zenworks/share/tomcat/webapps

    Windows: \novell\zenworks\share\tomcat\webapps

  2. Modify the zenworks-remote-ssh/WEB-INF/web.xml file to add a Tomcat Remote Address Filter that denies access to all IP addresses.

    For details about how to do this (and explanation of an alternate method), see Admin Webservices.

  3. Restart the server services.

Notes:

  • Webservice configuration changes are lost whenever a system update is applied to the ZENworks server. You must reconfigure the webservices after the system update.

21.3.10 Join Proxy Service

Description

The service that maintains connections between two devices on different private networks (for example, devices on opposite sides of a firewall or a NAT-enabled router). When used with ZENworks Remote Management, Join Proxy allows a device on the internal network to perform remote management of a device on an external network.

Port

7019, 7950

Recommendation

Block the ports to inbound connections if you are not using the ZENworks DMZ Server as a Join Proxy.

If you use the server as a Join Proxy, allow both inbound connections from external ZENworks managed devices as well as internal devices. Authentication is used to secure the connections.

How to Secure Access

If the ZENworks DMZ Server is not functioning as a Join Proxy:

Configure the firewall to prevent traffic on these ports 7019 and 7950 from internal and external addresses.

OR

Stop the novell-zenjoinproxy.service on the ZENworks server.

21.3.11 Quick Tasks

Description

Used by the ZENworks agent for Quick Tasks.

Service

Webservice

Port

7628

Recommendation

Connection uses authentication. Allow.

How to Secure Access

Configure the firewall to prevent traffic on this ports from external addresses.