The following sections provide information about controlling access between the ZENworks DMZ Server and other ZENworks back-end components:
|
Description |
The ZENworks Zone has three databases: the ZENworks database, the ZENworks Audit database, and the ZENworks Antimalware database. The ZENworks database stores information about devices, users, software bundles, policies, hardware and software inventories, centralized system messages, license tracking and usage data, and other transactional data. It also stores information about the actions scheduled to take place within the zone. The ZENworks Audit database stores information for audited events. This includes changes made to the zone configuration and actions that occur on managed devices. The ZENworks Antimalware database stores data such as detected malware threats and current malware status for devices. In addition, the Antimalware database also stores data--such as devices, policies, assignments, and configuration settings--that are synced to it from the ZENworks database. |
|
Database:Port |
Oracle: 1521 Microsoft SQL: 1433 Embedded PostgreSQL: 54327 External PostgreSQL: 5432 |
|
Recommendation |
The ZENworks DMZ Server requires direct access to the databases. |
|
How to Secure Access |
Configure the firewall to allow communication on the database port between the ZENworks DMZ Server and the database server. Follow firewall best practices for restricting access to the port and the ZENworks DMZ Server IP address/DNS hostname. |
|
Description |
An LDAP directory (eDirectory or ActiveDirectory) that is referenced to enable capabilities such as user-based assignments, user association with devices, and ZENworks administrator accounts. |
|
Port |
LDAP: 389/3268 LDAPS: 636/3269 |
|
Recommendation |
The ZENworks DMZ Server requires direct access to the LDAP directory. |
|
How to Secure Access |
Do not use unsecure ports 389/3268. Configure the firewall to allow communication on the secure port 636/3269 between the ZENworks DMZ Server and the LDAP server. Follow firewall best practices for restricting access to the port and the ZENworks DMZ Server IP address/DNS hostname. |
|
Description |
An ActiveSync Server is used with mobile management. The ZENworks MDM Server can act as a gateway to relay email between the ActiveSync Server and ZENworks-managed mobile devices. ZENworks supports both the Microsoft Exchange and GroupWise Mobility Servers. |
|
Port |
443 (default) |
|
Recommendation |
If the ZENworks MDM Server is not functioning as an ActiveSync email gateway, you do not need to do anything. Otherwise, secure access as instructed below. |
|
How to Secure Access |
Configure the firewall to allow communication on the secure port 443 between the ZENworks DMZ Server and the ActiveSync server. Follow firewall best practices for restricting access to the port and the ZENworks DMZ Server IP address/DNS hostname. |
|
Description |
The ZENworks DMZ Server communicates with other ZENworks Servers for purposes such as content replication. |
|
Port |
443 and 80 |
|
Recommendation |
Ensure that the ZENworks DMZ server can communicate with the server required to replicate its content. Additionally, if an Internal CA is being used, ensure that the DMZ Primary has the ability to access the Primary Server with the CA role. |
|
How to Secure Access |
Configure the firewall to allow communication on the secure port 443 between the ZENworks DMZ Server and any internal ZENworks Primary Servers. Follow firewall best practices for restricting access to the port and the ZENworks DMZ Server IP address/DNS hostname. |
|
Description |
When the ZENworks DMZ Server is configured as an MDM Server, it must be able to reach certain endpoints to access apps and services. Refer to Firewall Configuration in the ZENworks Mobile Management Reference. |
|
Ports |
Various |
|
Recommendation |
Ensure you have properly configured the Firewall to have outgoing stateful access to the appropriate services required to communicate with Apple and Google. |
|
How to Secure Access |
Follow the instructions in the Firewall Configuration document to configure the ports and URLs. |