6.1 Installing the Management Console for Use with the Management and Policy Distribution Services

If you have installed the Management Service and Policy Distribution Service, complete the tasks in the following sections to install the Management Console and configure a connection to your directory service.

6.1.1 Installing the Software

You can install the Management Console on the server where the Management Service resides, or you can install it on another computer that has direct communication with the Management Service.

  1. If you are not installing the Management Console on the same server as the Management Service:

    • Make sure the target computer meets the system requirements (see Section 2.2.3, Management Console Requirements)

    • Copy the ESM Setup Files folder from the Management server to the target computer’s desktop. Verify that the ESM Setup Files folder contains the following files before you copy it to the computer’s desktop: the Policy Distribution server’s SSL certificate, the Management server’s SSL certificate, and the STInstParam.id file.

  2. If you are using Microsoft Active Directory as your directory service, make sure that the computer is logged in to the Active Directory domain.

  3. At the target computer, insert the ZENworks Endpoint Security Management disk to run the Master Installer.

    The Master Installer is a set of browser-based screens that helps you launch the setup programs for the various ZENworks® Endpoint Security Management components.

    If the Master Installer does not auto-run, double-click default.htm at the root of the disk.

  4. Click the language you want to use for the text displayed on the Master Installer pages.

  5. Click Consolidated Setup or Distributed Setup.

    Both options enable you to install the Management Console.

  6. Click ZENworks Management Console to launch the Management Console installation program.

    You can also launch the installation program directly from the installation media:

    \Installs\MC\setup.exe

  7. Select the display language for the installation program, then click OK.

  8. Complete the installation, using information from the following table. Each row of the table corresponds to one of the installation program screens that requires input.

    Installation Prompt

    Explanation

    Setup type

    A Typical installation uses the server and SSL information contained in the STInstParam.id file located in the ESM Setup Files folder, if the folder is located on the computer’s desktop. If the folder is not located on the desktop, the Typical installation displays the same prompts as a Custom installation.

    A Custom installation displays all of the information prompts. If the ESM Setup Files folder is located on the desktop, the information from the STInstParam.id is used for the defaults. You can change the defaults if necessary.

    Policy Distribution Service host name

    Specify the hostname of the server where the Policy Distribution Service is installed. The hostname you use (local name or fully qualified domain name) depends on the location of the server and must match the hostname as defined in the server’s SSL certificate.

    Management Service host name

    Specify the hostname of the server where the Management Service is installed. The hostname you use (local name or fully qualified domain name) depends on the location of the server and must match the hostname as defined in the server’s SSL certificate.

    SQL Server used by the Management Service

    Provide both the physical server name and the SQL Server name (default instance or named instance) where the Management database resides. For example, if the physical server name is SERVER1 and the named instance of the SQL Server is SQL2008, you would enter:

    SERVER1\SQL2008

    If the SQL Server is using the default instance, you would enter:

    SERVER1\MSSQLSERVER

    SQL Server used by the Reporting Service

    Provide both the physical server name and the SQL Server name (default instance or named instance) where the Reporting database resides. For example, if the physical server name is SERVER1 and the named instance of the SQL Server is SQL2008, you would enter:

    SERVER1\SQL2008

    If the SQL Server is using the default instance, you would enter:

    SERVER1\MSSQLSERVER

    Management database name

    Specify the name of the database created for the Management Service. If you used the default, the name is STMSDB.

    Reporting database name

    Specify the name of the database created for the Reporting Service. If you used the default, the name is STRSDB.

    SSL certificates

    Specify if existing certificates were used when installing the Policy Distribution Service and Management Service, or if the installation program created Novell® self-signed certificates.

    Log File Group Folder

    Each database (Management and Reporting) has a set of log files associated with it. By default, the log files are installed to the SQL Server’s DATA directory. If you have another location where you keep your log files, select that location instead.

  9. When the installation is complete, select the Launch the ESM Management Console now option, then click Finish.

    You can also launch the Management Console by double-clicking the ESM Management Console icon on the desktop or by selecting the Start menu > All Programs > Novell > ESM Management Console > Management Console.

    The Management Console starts with the New Directory Service Configuration Wizard displayed. The wizard lets you set up the connection to your directory service and specify the users and computers you want to manage with ZENworks Endpoint Security Management.

  10. Continue with the next section, Creating a Directory Service Configuration.

6.1.2 Creating a Directory Service Configuration

ZENworks Endpoint Security Management integrates with Microsoft Active Directory and Novell eDirectory™ to enable security policies to be published to the users and computers in the directory. When the Security Client authenticates through a user or computer account, any policies associated with the account are applied to the computer.

When you create a directory service configuration for one of these directories, you define the connection information for the directory and identify the users or computers to whom policies can be published. The following sections provide instructions for creating configurations for the two directory services:

Defining eDirectory as the Directory Service

  1. Make sure the New Directory Service Configuration Wizard is displayed.

    If the wizard is not displayed, launch the Management Console by double-clicking the ESM Management Console icon on the desktop or by selecting the Start menu > All Programs > Novell > ESM Management Console > Management Console.

  2. Complete the wizard. The following table provides information for each of the pages.

    IMPORTANT:Do not use the wizard’s Back button. Doing so can result in lost settings and incorrect data synchronization from the directory service to the Management database. If you make a mistake, cancel the wizard and begin again.

    Wizard Page

    Explanation

    Configure Server

    Select Novell eDirectory.

    In the Name field, specify a name that identifies this configuration in the Management Console. When users log in through the Security Client, the must select the directory service configuration that represents the directory service in which their user account exists. If you will have multiple directory service configurations, we recommend that the names you provide for the configurations are the same as or similar to the eDirectory tree names so that users recognize which configuration to select.

    Connect to Server

    Host Name: Specify the DNS name or IP address of an eDirectory server.

    Port: Specify the eDirectory server port. The default is 389 (non-secure) or 636 (secure).

    Enable Encryption for this session using TLS/SSL: Select this option if you want to use either TLS or SSL to encrypt the current session. Encrypting the session ensures that the eDirectory data imported by the Management Console is secure during transmission. If you enable this option, you must use port 389 or 636.

    Provide Credentials

    The Management Console requires a user account for authentication to eDirectory.

    User Name: Specify the login name of a user who has permission to view the entire directory.

    Password: Specify the password for the user account.

    Context: Specify the user’s context.

    Select Directory Partition(s)

    To receive security policies, the Security Client must authenticate to eDirectory through a user or workstation account. You must identify the location of the users or workstations that you want to be able to authenticate. The first step is to select the partitions that contain the users or workstations.

    Select Client Context(s)

    The second step in identifying the location of the users or workstations that you want to be able to authenticate is to select the containers in which the users or workstations reside.

    Select Context(s) for Synchronization

    To publish a security policy to a user or workstation, the user or workstation must be available in the Management Console. There are two ways a user or workstation becomes available in the console:

    • You use this page to synchronize the Management Console with eDirectory. To do so, select the eDirectory containers with users or workstations you want to populate into the Management Console. You can synchronize only the containers you selected as Client contexts (the previous page).

    • Wait for the user or workstation to authenticate through the Security Client. When the user or workstation checks in, it is automatically added to the Management Console.

    Synchronizing containers prepopulates the Management Console so that you can immediately publish security policies to individual users or workstations. If you don’t synchronize containers, you must publish security policies at the container level (which means all users or workstations in the container receive the policies) or wait for individual users or workstations to authenticate and be added to the Management Console.

  3. If you have not already done so, click Finish to complete the directory service configuration.

    The directory is added to the Directory Service Configurations list.

    If you selected containers to synchronize, the Management Console begins the synchronization. You can double-click in the Windows notification area to display the Directory Services Synchronization dialog box.

    The synchronization occurs in the background. If you exit the Management Console, the synchronization stops. When you open the Management Console again, the synchronization resumes where it left off.

Defining Active Directory as the Directory Service

For the Active Directory domain you are connecting to, the Domain Controller must reside on Windows Server 2000 with SP4, Windows Server 2003, or Windows Server 2008.

If a Windows Server 2008 Domain Controller is down when you run the New Directory Service Configuration Wizard, the wizard might error out. If this occurs, set the port to 389 when running the wizard.

  1. Make sure the computer is logged in to the Active Directory domain.

  2. Make sure the New Directory Service Configuration Wizard is displayed.

    If the wizard is not displayed, launch the Management Console by double-clicking the ESM Management Console icon on the desktop or by selecting the Start menu > All Programs > Novell > ESM Management Console > Management Console.

  3. Complete the wizard. The following table provides information for each of the pages.

    IMPORTANT:Do not use the wizard’s Back button. Doing so can result in lost settings and incorrect data synchronization from the directory service to the Management database. If you make a mistake, cancel the wizard and begin again.

    Wizard Page

    Explanation

    Configure Server

    Select Microsoft Active Directory.

    In the Name field, specify a name that identifies this configuration in the Management Console. When users log in through the Security Client, the must select the directory service configuration that represents the directory service in which their user account exists. If you will have multiple directory service configurations, we recommend that the names you provide for the configurations are the same as or similar to the domain names so that users recognize which configuration to select.

    Connect to Server

    Host Name: Specify the DNS name or IP address of an Active Directory server. By default, the field is populated with the address of an Active Directory server in the Management Console’s domain. To select a different Active Directory server, click Browse.

    Port: 3268 (the default) is the Active Directory Global Catalog server port. If the specified Active Directory server is not a Global Catalog server, specify a different port (for example, 389).

    Enable Encryption: Select this option if you want to use either Kerberos* or NTLM to encrypt the current session. Encrypting the session ensures that the Active Directory data imported by the Management Console is secure during transmission.

    Provide Credentials

    The Management Console requires a user account for authentication to Active Directory.

    User Name: Specify the login name of a user who has permission to view the entire directory. We recommend that you use the domain administrator.

    Password: Specify the password for the user account.

    Domain: Select the user’s domain.

    Authentication Method: Select the authentication method required by the Active Directory server (Basic, Kerberos, NTLM, Negotiate).

    Locate Account Entry

    This page is displayed only If the administrator account you specified is not in a standard Active Directory user container. Expand the directory tree to locate and select the administrator’s container.

    Select Authenticating Domain(s)

    To receive security policies, the Security Client must authenticate to Active Directory through a user or computer account. You must identify the location of the users or computers that you want to be able to authenticate. The first step is to select the domains that contain the users or computers.

    Select Client Container(s)

    The second step in identifying the location of the users or computers that you want to be able to authenticate is to select the containers in which the users or computers reside.

    Select Container(s) for Synchronization

    To publish a security policy to a user or computer, the user or computer must be available in the Management Console. There are two ways a user or computer becomes available in the console:

    • You use this page to synchronize the Management Console with Active Directory. To do so, select the Active Directory containers with users or computers you want to populate into the Management Console. You can synchronize only the containers you selected as Client containers (the previous page).

    • Wait for the user or computer to authenticate through the Security Client. When the user or computer checks in, it is automatically added to the Management Console.

    Synchronizing containers prepopulates the Management Console so that you can immediately publish security policies to individual users or computers. If you don’t synchronize containers, you must publish security policies at the container level (which means all users or computers in the container receive the policies) or wait for individual users or computers to authenticate and be added to the Management Console.

  4. If you have not already done so, click Finish to complete the directory service configuration.

    The directory is added to the Directory Services Configuration list.

    If you selected containers to synchronize, the Management Console begins the synchronization. You can double-click in the Windows notification area to display the Directory Services Synchronization dialog box.

    The synchronization occurs in the background. If you exit the Management Console, the synchronization stops. When you open the Management Console again, the synchronization resumes where it left off.