2.8 Starting Remote Management Operations

The remote operation can be initiated in the following ways:

2.8.1 Initiating a Session from the Management Console

In this scenario, the remote session is initiated by the administrator on the management console. The management console is typically placed within an enterprise network and the managed device can be either within or outside the enterprise network. The following illustration depicts a remote session initiated on the managed device from the management console.

Figure 2-1 Console-Initiated Session

The Remote Management Agent starts automatically when the managed device boots up. A default Remote Management policy is created on the managed device when the device is deployed. You can remotely manage the device using this default policy in rights-based authentication mode only. If you create a new Remote Management policy, the new policy overrides the default policy.

If the ZENworks Management Zone setup is spread across two or more NAT-enabled private networks that are interconnected by a public network, you must deploy DNS_ALG on the gateways of these private networks. DNS_ALG ensures that the DNS lookup queries initiated by the ZENworks components return the correct private address mapped hostname and enables the communication between the management console and the managed devices. For more information on DNS_ALG, refer to DNS ALG RFC - 2694 (http://www.ietf.org/rfc/rfc2694).

If you want to remotely manage a device by using its DNS name, ensure that Dynamic DNS service is deployed in the network.

The remote operator can initiate a session in any of the following ways:

Starting a Remote Management Operation in ZENworks Control Center

You can initiate the various Remote Management operations from the device context or the user context:

Initiating a Remote Management Session from the Device Context

To initiate a Remote Management session on a device

  1. In ZENworks Control Center, click the Devices tab.

  2. Click Servers or Workstations and select the device you want to remotely manage. Click Action, then select the Remote Management operation you want to perform.

    or

    In Device Tasks in the left pane, select the Remote Management operation you want to perform.

    The available remote operations are:

    • Remote Control: Displays the Remote Management dialog box, which lets you perform a Remote Control, Remote View, or Remote Execute operation on the managed device.

    • Remote Diagnostics: Displays the Remote Diagnostics dialog box, which lets you perform a Remote Diagnostics operation on the managed device.

    • Transfer Files: Displays the File Transfer dialog box, which lets you perform a file transfer operation on the managed device.

  3. Fill in the options in the dialog box that displays. The following table contains information on the various options available:

    Field

    Details

    Device

    Specify the host name or the IP address of the device you want to remotely manage.

    Operation

    Select the type of the remote operation you want to perform on the managed device. This option is available only in the Remote Management dialog box.

    Application

    Select the application you want to launch on the device to remotely diagnose. This option is available only in the Remote Diagnostics dialog box.

    Authentication

    Select the mode you want to use to authenticate to the managed device. The authentication modes are:

    • Rights-Based Authentication

    • Password-Based Authentication

    Port

    Specify the port number on which the Remote Management service is listening. By default, the port number is 5950

    Session Mode

    Select one of the following modes for the session:

    • Collaborate: Allows you to launch a Remote Control session and a Remote View session in collaboration mode. This mode is selected by default for the Remote Control operation. If you launch the Remote Control session on the managed device first, then you get the privileges of a master remote operator, which include:

      • Inviting other remote operators to join the remote session.

      • Delegating Remote Control rights to a remote operator.

      • Regaining control from the remote operator.

      • Terminating a Remote Session.

      The consecutive sessions launched are Remote View sessions.

      NOTE:The collaborate mode is not yet supported on Linux.

    • Shared: Allows more than one remote operator to simultaneously control the managed device.

    • Exclusive: Allows you to have an exclusive remote session on the managed device. No other remote session can be initiated on the managed device after a session has been launched in exclusive mode. This mode is selected by default for the Remote View operation.

    This option is available only in the Remote Management dialog box.

    Session Encryption

    Ensures that the remote session is secured by using SSL encryption (TLSv1 protocol).

    Enable Caching

    Enables caching of the remote management session data to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations. This option is currently supported only on Windows.

    Enable Dynamic Bandwidth Optimization

    Enables detection of the available network bandwidth and accordingly adjusts the session settings to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations.

    Enable Logging

    Logs session and debug information in the novell-zenworks-vncviewer.txt file. The file is saved by default on the desktop if you launch ZENworks Control Center (ZCC) through Internet Explorer and in the mozilla installed directory if you launch ZCC through Mozilla FireFox.

    Route Through Proxy

    Enables the remote management operation of the managed device to be routed through a remote management proxy. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy.

    Fill in the following fields:

    Proxy: Specify the DNS name or the IP address of the remote management proxy. By default, the proxy configured in the Proxy Settings panel to perform the remote operation on the device is populated in this field. You can specify a different proxy.

    Proxy Port: Specify the port number on which the remote management proxy is listening. By default, the port is 5750.

    NOTE:The Remote Management Audit displays the IP Address of the device that is running the remote management proxy and not the IP address of the management console.

    Use the Following Key Pair for Identification

    If an internal certificate authority (CA) is deployed, the following options are not displayed. If an external CA is deployed, fill in the following fields:

    Private Key: Click Browse to browse to and select the private key of the remote operator.

    Certificate: Click Browse to browse to and select the certificate corresponding to the private key. This certificate must be chained to the certificate authority configured for the zone.

    The supported formats for the key and the certificate are DER, PEM, and PFX. If the PFX format is used, both the key and the certificate must be available in the same file. You should provide this file as an input for both the key and the certificate.

    Enable Cache Path: Enables the primary key and the certificate paths to be cached on the management console.

    This option is currently supported only on Windows.

  4. Click OK to launch the selected remote operation.

Initiating a Remote Management Session from the User Context

If you want to assist a user by performing a remote session on the managed device where he or she has logged in:

  1. In ZENworks Control Center, click the Users tab.

  2. Click the User Source.

  3. Select the user to remotely manage the device where he or she is logged in.

  4. Click Action, then select the Remote Management operation you want to perform.

    The available operations are:

    • Remote Control: Displays the Remote Management dialog box, which lets you perform a Remote Control, Remote View, or Remote Execute operation on the managed device.

    • Remote Diagnostics: Displays the Remote Diagnostics dialog box, which lets you perform a Remote Diagnostics operation on the managed device.

    • Transfer Files: Displays the File Transfer dialog box, which lets you perform a file transfer operation on the managed device.

  5. Fill in the options in the dialog box that displays. The following table contains information on the various options available:

    Field

    Details

    Device

    Specify the host name or the IP address of the device you want to remotely manage.

    Operation

    Select the type of the remote operation you want to perform on the managed device. This option is available only in the Remote Management dialog box.

    Application

    Select the application you want to launch on the device to remotely diagnose. This option is available only in the Remote Diagnostics dialog box.

    Authentication

    Select the mode you want to use to authenticate to the managed device. The authentication modes are:

    • Rights-Based Authentication

    • Password-Based Authentication

    Port

    Specify the port number on which the Remote Management service is listening. By default, the port number is 5950

    Session Mode

    Select one of the following modes for the session:

    • Collaborate: Allows you to launch a Remote Control session and a Remote View session in collaboration mode. This mode is selected by default for the Remote Control operation. If you launch the Remote Control session on the managed device first, then you get the privileges of a master remote operator, which include:

      • Inviting other remote operators to join the remote session.

      • Delegating Remote Control rights to a remote operator.

      • Regaining control from the remote operator.

      • Terminating a Remote Session.

      The consecutive sessions launched are Remote View sessions.

      NOTE:The collaborate mode is not yet supported on Linux.

    • Shared: Allows more than one remote operator to simultaneously control the managed device.

    • Exclusive: Allows you to have an exclusive remote session on the managed device. No other remote session can be initiated on the managed device after a session has been launched in exclusive mode. This mode is selected by default for the Remote View operation.

    This option is available only in the Remote Management dialog box.

    Session Encryption

    Ensures that the remote session is secured by using SSL encryption (TLSv1 protocol).

    Enable Caching

    Enables caching of the remote management session data to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations. This option is currently supported only on Windows.

    Enable Dynamic Bandwidth Optimization

    Enables detection of the available network bandwidth and accordingly adjusts the session settings to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations.

    Enable Logging

    Logs session and debug information in the novell-zenworks-vncviewer.txt file. The file is saved by default on the desktop if you launch ZENworks Control Center (ZCC) through Internet Explorer and in the mozilla installed directory if you launch ZCC through Mozilla FireFox.

    Route Through Proxy

    Enables the remote management operation of the managed device to be routed through a remote management proxy. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy.

    Fill in the following fields:

    Proxy: Specify the DNS name or the IP address of the remote management proxy. By default, the proxy configured in the Proxy Settings panel to perform the remote operation on the device is populated in this field. You can specify a different proxy.

    Proxy Port: Specify the port number on which the remote management proxy is listening. By default, the port is 5750.

    NOTE:The Remote Management Audit displays the IP Address of the device that is running the remote management proxy and not the IP address of the management console.

    Use the Following Key Pair for Identification

    If an internal certificate authority (CA) is deployed, the following options are not displayed. If an external CA is deployed, fill in the following fields:

    Private Key: Click Browse to browse to and select the private key of the remote operator.

    Certificate: Click Browse to browse to and select the certificate corresponding to the private key. This certificate must be chained to the certificate authority configured for the zone.

    The supported formats for the key and the certificate are DER, PEM, and PFX. If the PFX format is used, both the key and the certificate must be available in the same file. You should provide this file as an input for both the key and the certificate.

    Enable Cache Path: Enables the primary key and the certificate paths to be cached on the management console.

    This option is currently supported only on Windows.

  6. Click OK to launch the selected remote operation.

Starting a Remote Management Operation in Standalone Mode

Before starting the remote management operation in standalone mode, install the Remote Management viewer. For information on installing the viewer, see Section 2.6, Installing the Remote Management Viewer.

To start the Remote Management Operation in standalone mode:

  1. Double-click the nzrViewer.exe file to launch the ZENworks Remote Management Client.

  2. In the ZENworks Remote Management Connection window that displays, specify the DNS name or the IP address of the managed device and the port number in the format IP address~~Port. For example 10.0.0.0~~1000.

  3. Specify the DNS name or the IP address of the remote management proxy and the port number in one of the following formats:

    • IP address~~Port. For example 10.0.0.0~~5750.

    • IP address~Port. For example 10.0.0.0~50.

  4. Click Connect.

    On successful authentication, the remote session starts. By default, a Remote Control session is launched.

Starting a Remote Management Operation by Using Command Line Options

Before you launch a Remote Management operation from the command line, install the Remote Management viewer. For information on installing the viewer, see Section 2.6, Installing the Remote Management Viewer.

To start the Remote Management operation by using the command line options:

  1. At the command prompt, change to the directory where the viewer is installed. The viewer is by default installed to the <User_Application_Data_Folder>\Novell\ZENworks\Remote Management\bin directory.

  2. Execute the following command:

    nzrViewer [/options<parameters if any>][IP address of the managed device] [~~port]

    The default port for the managed device is 5950.

    For information on the available command line options, see Section 2.9.1, Command Line Options for Launching a Remote Operation.

  3. Click Connect.

    On successful authentication, the remote session starts. If you have not specified the type of remote operation in the command line, a Remote Control session is launched by default.

However, starting a Remote Management operation by using the command line options has the following limitations:

  • If you do not want to specify the key, cert, and CAcert command line options in the nzrViewer command for SSL authentication, ensure that the Allow connection when Remote Management Console does not have SSL certificate option in the security settings of the Remote Management policy is enabled. However, this is not recommended because the security of the device is reduced.

  • If the managed device is a part of the Management Zone, ensure that the certificate presented by the viewer is valid, signed, and chained to the CA, or the SSL authentication fails.

    NOTE:When you launch a remote session from ZENworks Control Center (ZCC), the certificate is automatically generated by ZCC and passed on to the viewer to launch the session. The validity of the certificate is only four days.

  • The managed device uses the certificate provided by the viewer to identify the remote operator. If the viewer does not provide a certificate, the user is not identified and is recorded as unknown in the permission message, visible signal, and audit logs.

2.8.2 Initiating a Session from the Managed Device

In this scenario, the remote session is initiated by the user on the managed device. This is useful if the management console cannot connect to the managed device. The following illustration depicts a remote session initiated by the user at the managed device.

Figure 2-2 Agent-Initiated Session

The user at the managed device can request a remote operator to perform a remote session on the device if:

  • The remote operator has launched the Remote Management listener to listen to the remote session requests from the user.

  • The Allow user to request a remote session option is enabled in the Remote Management policy.

  • The port at which the Remote Management listener listens for the remote connections must be opened in the management console firewall. The default port is 5550.

To request a session:

  1. Double-click the ZENworks icon in the notification area.

  2. In the left pane, navigate to Remote Management, then click General.

  3. Click Request Remote Management Session to display the Request Session dialog box.

    The ability to request a Remote Management session is controlled by your administrator, which means the option might be disabled, particularly if your company or department does not have dedicated help desk personnel to serve as on-call remote operators. If the Request Remote Management Session option is not displayed as linked text, the option is disabled.

  4. In the Listening Remote Operators list, select the remote operator you want to open the remote session with.

    or

    If the remote operator is not listed, provide the operator’s connection information in the Request Connection fields.

  5. In the Operation field, select the type of operation (Remote Control, Remote View, Remote Diagnostics, File Transfer, or Remote Execute) you want to open.

    For information about each operation, see Section 1.2, Understanding Remote Management Operations.

  6. Click Request to launch the session.

If you want to allow connections to be made from a public network into a private network, deploy the DNS Application Level Gateway (DNS_ALG). For more information on DNS_ALG, refer to RFC 2694.