Secure (SSL) communication is required between the Management Service and the Policy Distribution Service and between the Security Client and the Management Service. Make sure the following requirements are met:
Policy Distribution Service: Configure Microsoft Internet Information Service (IIS) on the Policy Distribution server to accept (not require) SSL certificates. This enables the Policy Distribution Service to use SSL communication with the Management Service and non-SSL communication with the Security Client. Requiring (rather than just accepting) SSL certificates breaks communication to the Security Client.
To ensure that SSL certificates are accepted but not required, run the Microsoft Computer Management utility on the Policy Distribution server. In the utility, expand
> expand > expand > right-click > click > click the tab > click the button in the Secure communications group box. Make sure that the check box is not selected.Management Service: Configure Microsoft Internet Information Service (IIS) on the Management server to require SSL certificates. Communication between the Management Service and the two other components (Policy Distribution Service and Security Client) is always SSL. If the Management Service and Policy Distribution Service are on the same server, do not require SSL certificates. Instead, configure IIS to accept SSL certificates as explained in the previous requirement for the Policy Distribution server.
Set up SSL certificates for the Policy Distribution server and Management server using one of the following options:
Microsoft Certificate Services: Issue and manage your own certificates. For information, see the Microsoft site.
Certification Authority (CA): Obtain certificates from a trusted organization such as VeriSign*, GeoTrust*, or Thawte*.
Novell Self-Signed Certificate: Have the ZENworks Endpoint Security Management installation create self-signed certificates. This method is recommended only for small environments (100 users or less) or evaluation installations.
Make sure that the SSL certificates use the same server names (Policy Distribution server name and Management server name) used to resolve server names in Section 3.2, Ensuring Server Name Resolution. If you use Novell self-signed certificates, the installation program ensures that the correct server names are included in the certificates.
Validate the SSL connection from the Management server to the Policy Distribution server. To do so, open a Web browser on the Management server and enter https://DSNAME (where DSNAME is the server name of the Policy Distribution server). If you are not using Novell self-signed certificates, the browser should display valid data with no certificate warnings (valid data might be Page under Construction); any certificate warnings must be resolved before installation. If you are using Novell self-signed certificates, the certificate warnings are acceptable.
Validate the SSL connection from an endpoint device (a device where the Security Client will be installed) to the Management server. The first time the Security Client connects to the ZENworks Endpoint Security Management system, it connects to the Management server. All subsequent connections are non-SSL connections to the Policy Distribution server.