The Remote Management settings are rules that determine the behavior or the execution of the Remote Management service on the managed device. The settings include configuration for the ports, session settings, and performance settings during the remote session. These settings can be applied at zone, folder, and device levels.
The following sections provide information on configuring the Remote Management settings at the different levels:
By default, the Remote Management settings configured at the zone level apply to all the managed devices.
In ZENworks Control Center, click Configuration.
In the Management Zone Settings panel, click Device Management, then click Remote Management.
Select Run Remote Management Service on Port and specify the port to enable the Remote Management service to run on that port.
By default, the Remote Management service listens on port number 5950.
Select the Session Settings options:
Field |
Details |
---|---|
Look Up Viewer DNS Name at the Start of the Remote Session |
Enables the Remote Management service to look up for the DNS name of the management console at the start of the remote session. The name is saved in the audit logs and is displayed as a part of the session information during the remote sessions. If this option is not selected or the Remote Management service is unable to find the console name, then the console name is displayed as unknown. If your network does not have reverse DNS lookup enabled, then we recommend that you disable this setting to prevent a significant delay in starting the remote session. |
Allow Remote Session when no user is logged on to the managed device |
Enables a remote operator to remotely manage a device when the policy allows the remote operation but no user has logged in to the device. This option is selected by default. |
Select from the following options for improving the performance of a remote session:
Field |
Details |
---|---|
Suppress Wallpaper |
Suppresses the wallpaper on the managed device during a remote session. This prevents the bitmap data of wallpaper from being repeatedly sent to the Remote Management console and thereby enhances the performance of the remote session. By default, this setting is enabled. |
Enable Optimization Driver |
Enables the optimization driver, which is installed by default on every managed device. If you select this option, only the changed portion of the screen on the managed device is captured and updated on the Remote Management console during the remote session, thereby enhancing the performance of the remote session. By default, this setting is enabled. |
(Optional) Configure a remote management proxy to perform remote operations on the managed device.
If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy. You must install the proxy separately. For information on installing the remote management proxy, see Section 2.5.1, Installing a Remote Management Proxy.
Task |
Details |
---|---|
Add a remote management proxy |
|
Delete a remote management proxy |
|
(Optional) Configure an application to be launched on the managed device during the Remote Diagnostics session by adding it to the Diagnostics Applications list. By default, the list includes the following applications:
System Information
Computer Management
Services
Registry Editor
The following table lists the tasks that you can perform to customize the Diagnostics Applications list:
Task |
Details |
---|---|
Add an application |
|
Delete an application |
|
Revert to default applications |
|
Click Apply, then click OK.
These changes are effective on the device, when the device is refreshed.
By default, the Remote Management settings configured at the zone level are applied to all the managed devices. However, you can modify these settings for the devices within a folder:
In ZENworks Control Center, click Devices.
Click the folder (details) for which you want to configure the Remote Management settings.
Click Settings, then click Device Management > Remote Management.
Click Override.
Edit the Remote Management settings as required.
To apply the changes, click Apply.
or
To revert to the system settings configured at the zone level, click Revert.
Click OK.
These changes are effective on the device, when the device is refreshed.
By default, the Remote Management settings configured at the zone level are applied to all the managed devices. However, you can modify these settings for the managed device:
In ZENworks Control Center, click Devices.
Click Servers or Workstations to display the list of managed devices.
Click the device for which you want to configure the Remote Management settings.
Click Settings, then click Device Management > Remote Management.
Click Override.
Edit the Remote Management settings as required.
To apply the changes, click Apply.
or
To revert to the previously configured system settings on the device, click Revert.
If the Remote Management settings on the device were configured at the folder level, the settings revert to the configured folder level settings; otherwise, they revert to the default zone level settings.
Click Ok.
These changes are effective on the device, when the device is refreshed.
While remote controlling a device, you might have changed few settings in the ZENworks Remote Management Viewer Options window and you might want to apply the same changes to other managed devices in the zone. To export remote management viewer settings, perform the following:
Remote control any device, and make necessary changes in the ZENworks Remote Management Viewer Connection Options window,
Click Ok to save and exit the remote control session.
Open the Registry Editor.
In the Start Menu, either in the Run box or in the Search box, type regedit, and then press Enter.
In the Registry Editor window, navigate to HKEY_CURRENT_USER > Software > Novell > ZCM > Remote Management > Viewer > History
Rename the existing device history settings registry key to Default, or create a registry key with custom settings.
NOTE:Any run time changes will not be saved to the default registry key, instead it will be saved to the device specific registry key.
Export the registry key by clicking File menu, and then click Export.
Import the registry key to all the managed devices.
To import registry key, you can either do it manually or create a bundle and then publish it on all the required managed devices.
Default registry key can be used for all standard settings that administrator wants to make common across the devices in the zone.
The Remote Management policy lets you configure the behavior or execution of a Remote Management session on the managed device. The policy includes settings for Remote Management operations such as Remote Control, Remote View, Remote Execute, Remote Diagnostics, and File Transfer, and also allows you to control settings for security.
By default, a secure Remote Management policy is created on the managed device when the ZENworks Agent is deployed with the Remote Management component on the device. You can use the default policy to remotely manage a device. To override the default policy, you can explicitly create a Remote Management policy for the device.
In ZENworks Control Center, click the Policies tab.
In the Policies list, click New, then click Policy to display the Select Policy Type page.
Select Remote Management Policy, click Next to display the Define Details page, then fill in the fields:
Policy Name: Provide a unique name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder.
Folder: Type the name or browse to the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.
Description: Provide a short description of the policy’s content. This description displays in the summary page of the policy in ZENworks Control Center.
Click Next to display the Remote Management General Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.
Field |
Details |
---|---|
Allow User to Request a Remote Session |
Enables the user on the managed device to request a remote operator to perform a remote session. The remote operator must ensure that the Remote Management Listener is running. |
Terminate the Remote Session When Permission Is Required from a New User Logging In to the Managed Device |
Terminates an ongoing remote session when permission is required from a new user who has logged into a remotely managed device. |
Display Remote Session Audit Information to the User on the Managed Device |
Allows the user on the managed device to view the audit information for remote sessions from the ZENworks icon. |
Display Remote Management Properties in the ZENworks Icon |
Allows the user on the managed device to view the properties associated with the Remote Management policy in the ZENworks icon. |
Edit |
To edit the message displayed to the user on the managed device before starting a remote session:
|
Restore default |
To restore the default message:
|
Add a Remote Listener |
To add a Remote Listener:
|
Delete a Remote Listener |
To delete a Remote Listener:
|
Click Next to display the Remote Control Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.
Field |
Details |
---|---|
Allow Managed Device to be Controlled Remotely |
Allows Remote Control sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Control operation on the device. |
Ask Permission from User on Managed Device Before Starting Remote Control |
Allows you to request permission from the user on the managed device before starting a Remote Control session. |
Give Visible Signal to User on Managed Device During Remote Control |
Displays a visible signal in the top right corner of the managed device desktop during the Remote Control session. The visible signal lets the user on the managed device know that a Remote Control session is in progress. |
Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote Control |
Generates a beep on the managed device during a Remote Control session. The beep is generated periodically after the specified number of seconds. |
Allow Managed Device Screen to be Blanked During Remote Control |
Enables blanking of the screen of the managed device during a Remote Control session. Selecting this option also locks the keyboard and the mouse controls of the managed device. |
Allow Managed Device Mouse and Keyboard to be Locked During Remote Control |
Enables locking of the managed device mouse and keyboard during a Remote Control session. |
Allow Screen Saver to be Automatically Unlocked During Remote Control |
Enables the unlocking of a password-protected screen saver from the Remote Control Viewer before the start of a Remote Control session on the managed device. |
Automatically Terminate Remote Control Session After Inactivity of [ ] Minutes |
Terminates a Remote Control session on the managed device if it has been inactive for the specified duration. |
Click Next to display the Remote View Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.
Field |
Details |
---|---|
Allow Managed Device to be Viewed Remotely |
Allows Remote View sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote View operation on the device. |
Ask Permission from User on Managed Device Before starting Remote View |
Allows you to request permission from the user on the managed device before starting a Remote View session. |
Give Visible Signal to User on Managed Device During Remote View |
Displays a visible signal in the top right corner of the managed device desktop during the Remote View session.The visible signal lets the user on the managed device know that a Remote View session is in progress. |
Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote View |
Generates a beep on the managed device during the Remote View session. The beep is generated periodically after the specified number of seconds. |
Click Next to display the Remote Diagnostics Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.
Field |
Details |
---|---|
Allow Managed Device to be Diagnosed Remotely |
Allows Remote Diagnostics sessions on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Diagnostics operation on the device. |
Ask Permission from User on Managed Device Before starting Remote Diagnostics |
Ensures that the remote operator requests permission from the user on the managed device before starting a Remote Diagnostics session. |
Give Visible Signal to User on Managed Device During Remote Diagnostics |
Displays a visible signal in the top right corner of the managed device desktop during the Remote Diagnostics session.The visible signal lets the user on the managed device know that a Remote Diagnostics session is in progress. |
Give Audible Beep to User on Managed Device Every [ ] Seconds During Remote Diagnostics |
Generate a beep on the managed device during the Remote Diagnostics session. The beep is generated periodically after the specified number of seconds. |
Allow Managed Device Screen to be Blanked During Remote Diagnostics |
Enables blanking of the screen of the managed device during a Remote Diagnostics session. The managed device keyboard and mouse are always locked during a Remote Diagnostics session. Selecting this option also disables the visible signal on the managed device. |
Display Warning Message Before Reboot for [ ] Seconds |
Displays a warning message on the managed device at the start of the Remote Diagnostics session, reminding the user to save all existing applications. This warning message is displayed for the specified duration to prevent the user from losing any unsaved data, because the remote operator might initiate a system reboot during the Remote Diagnostics session. |
Automatically Terminate Remote Diagnostics Session After Inactivity of [ ] Minutes |
Terminates the Remote Diagnostics session if it is inactive for the specified duration. |
Click Next to display the Remote Execute Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default settings.
Field |
Details |
---|---|
Allow programs to be remotely executed on the managed device |
Allows programs to be executed remotely on the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the Remote Execute operation on the device. |
Ask permission from User on Managed Device Before Starting Remote Execute |
Ensures that the remote operator requests permission from the user on the managed device before starting a Remote Execute session. |
Give Visible Signal to User on Managed Device During Remote Execute |
Displays a visible signal in the top right corner of the managed device desktop during the Remote Execute session. The visible signal lets the user on the managed device know that a Remote Execute session is in progress. |
Automatically Terminate Remote Diagnostics Session After Inactivity of [ ] Minutes |
Terminates the Remote Execute session if it is inactive for the specified duration. |
Click Next to display the File Transfer Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default security settings.
Field |
Details |
---|---|
Allow Transferring Files on Managed Device |
Enables transfer of files between the management console and the managed device. Selecting this option enables the subsequent options on the page. Deselecting the option disables the File Transfer operation on the device |
Ask permission from User on Managed Device Before Starting File Transfer |
Ensures that the remote operator requests permission from the user on the managed device before starting a File Transfer session. |
Give Visible Signal to User on Managed Device During File Transfer |
Displays a visible signal in the top right corner of the managed device desktop during the File Transfer session. The visible signal lets the user on the managed device know that a File Transfer session is in progress. |
Allow Files to be Downloaded from Managed Device |
Allows a remote operator to open files on the managed device and transfer them to the management console. If this option is not selected, the remote operator can only transfer files from the management console to the managed device. |
File Transfer Root Directory |
Specify the managed device directory to be seen by the remote operator during a File Transfer session. The remote operator can only transfer files to and from this directory and its subdirectories. The default directory is My Computer, which means that the remote operator can see and transfer files in the entire file system of the managed device. |
Click Next to display the Security Settings page. To accept the default settings, proceed to the next step, or use the information specified in the following table to change the default security settings.
Field |
Details |
---|---|
Enable Password Based Authentication |
Allows the remote operator to use a password to authenticate to the managed device. Select this option to configure the password type settings. |
Minimum Password Length |
Allows you to specify the minimum length for the password. By default, it is 6 characters. |
Session Password |
Select this option to prompt the user on the managed device to set a password before the start of a new remote session. This option is recommended because the password is not stored on the managed device and is valid only for the current session. |
Persistent Password |
Select this option to set the ZENworks and VNC passwords. Setting the ZENworks Password is recommended because it is safer and more secure than the VNC Password. This password can be set by the administrator through the Remote Management policy or by the managed device user from the ZENworks icon. Selecting this option enables the subsequent options. To enable the user to set the password through the ZENworks icon, select the Allow user to override default passwords on managed device option. |
ZENworks Password |
To clear the ZENworks password:
To set the ZENworks password:
|
VNC Password |
To clear the VNC password:
To set the VNC password:
|
Field |
Details |
---|---|
Enable Intruder Detection |
Select this option to enable the detection of invalid or unauthorized attempts to launch a remote session on the managed device. Selecting this option enables the subsequent options in the Intruder Detection section. |
Suspend Accepting Connections After [ ] Successive Invalid Attempts |
Specify the maximum number of consecutive invalid attempts a remote operator can make before the Remote Management service on the managed device is blocked. By default, it is five attempts. |
Automatically Start Accepting Connections After [ ] Minutes |
Specify the time in minutes after which the Remote Management Agent automatically accepts a connection to the managed device. To manually unblock the Remote Management service, double-click the ZENworks Agent icon, click Security Settings, then click Enable Accepting Connections if Currently Blocked Due to Intruder Detection. By default, it is 10 minutes. |
Field |
Details |
---|---|
Enable Session Encryption |
Enables session encryption using SSL encryption (TLSv1 protocol). Selecting this option enables the subsequent options in the Session Security section. |
Allow Connection When Remote Management Console Does Not Have SSL Certificate |
When a remote session is launched from the ZENworks Control Center, a certificate is automatically generated for a remote operator. This certificate is used during authentication. Select this option to allow connections from a Remote Management console launched outside ZENworks Control Center that might not have an SSL certificate. |
Allow up to [ ] levels in Viewer certificate chain |
The Novell rights-based and password-based authentication schemes are played over an SSL encrypted channel. The establishment of this channel requires the viewer to present a certificate. This certificate can be signed by an intermediate or a root certificate authority, thereby creating a certificate chain. This property defines the maximum number of levels that are allowed in the viewer's certificate chain. When the ZENworks internal certificate authority is employed (it is installed by default), a two-level viewer certificate chain is automatically created while launching a remote session from ZENworks Control Center. |
Field |
Details |
---|---|
Lock Device |
Locks the managed device when the remote session is terminated abnormally. |
Log Off User |
Logs off the user on the managed device when the remote session is terminated abnormally. |
Click Next to display the Summary page.
Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, enforcement, status, and which group the policy is a member of.
You can assign rights to a Remote Operator to perform remote sessions on the managed device. The Remote Operator can have device-specific rights as well as user-specific rights.
In ZENworks Control Center, click Configuration.
In the Administrators panel, click the name of the administrator to whom you want to assign the Remote Management rights.
In the Assigned Rights panel, click Add, then click Remote Management Rights to display the Remote Management Rights dialog box.
Select the device or the user to assign the rights.
The following table contains information on the Remote Management rights:
Remote Management Rights |
Details |
---|---|
Remote Control |
Assign the remote operator the rights to remotely control devices |
Remote View |
Assign the remote operator the rights to remotely view devices |
Remote Diagnostics |
Assign the remote operator the rights to remotely diagnose devices. |
Remote Execute |
Assign the remote operator the rights to remotely execute applications on devices. |
Transfer Files |
Assign the remote operator the rights to transfer files to or from devices. |
Unblock Remote Management Service |
Assign the remote operator the rights to unblock the Remote Management Service that has been locked due to intruder detection. |
NOTE:The Remote Management rights are applicable only for Rights based authentication. However, the remote operator can perform the Remote Management operation using Password based authentication if the Remote Management policy allows.
Click OK.
The following sections provide information on configuring the Remote Management password for the Remote Management service on the managed device:
The Administrator can set a Remote Management password in the Security Settings page while creating a Remote Management policy or after creating the policy.
If you want to set the password while creating the Remote Management policy, see Section 2.1.2, Creating the Remote Management Policy
.
To edit the password set in the Remote Management policy:
In ZENworks Control Center, click Policies.
Click the Remote Management policy, then click the Settings tab.
In the Security Settings panel, select the password and replace it with the new password.
Click Apply
Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the passwords on the managed device.
If you want to set the password after creating the Remote Management policy:
In ZENworks Control Center, click Policies.
Click the Remote Management policy, then click the Settings tab.
In the Security Settings panel, select Enable Password Based Authentication, then select Persistent.
Click Set Password and specify the password. If you have already set the password while creating the Remote Management policy, then you can edit the password. To edit the password, select the password and replace it with the new password.
Click Apply
Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the passwords on the managed device.
The user at the managed device can set a password for the Remote Management service if the Allow user to override default password on the managed device option is enabled in the Remote Management policy effective on the managed device. This password has precedence over the password set in the Remote Management policy.
To set a password on the managed device:
Double-click the ZENworks Agent icon to display the ZENworks Agent window.
In the left pane, navigate to Remote Management, then click Security.
In the right pane, click Set Password to set the following passwords:
ZENworks password (Recommended): Used in ZENworks authentication. It can be up to 255 characters long.
VNC password: Used in VNC authentication for interoperability with open source VNC viewers. It can be up to 8 characters long.
Click OK.
To clear the Remote Management password set using the policy:
In ZENworks Control Center, click Policies.
Click the Remote Management policy, then click the Settings tab.
In the Security Settings panel, select Clear Password then click Apply.
Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the policy on the managed device.
To clear the Remote Management password set by the managed device user:
In ZENworks Control Center, click Policies.
Click the Remote Management policy, then click the Settings tab.
In the Security Settings panel, deselect the Allow User to Override Default Passwords on Managed Device option, then click Apply.
Increment the version of this policy in the Summary page or in the Common Tasks to update the changes in the policy on the managed device.
The user at the managed device can reset the Remote Management password set earlier by him or her.
Double-click the ZENworks Agent icon to display the ZENworks Agent window.
In the left pane, navigate to Remote Management, then click Security.
In the right pane, click Clear Password to clear the passwords.
Click OK.
The password configured in the policy will be effective as there is no password set by the user.
The remote operation can be initiated in the following ways:
In this scenario, the remote session is initiated by the administrator on the management console. The management console is typically placed within an enterprise network and the managed device can be either within or outside the enterprise network. The following illustration depicts a remote session initiated on the managed device from the management console.
Figure 2-1 Console-Initiated Session on a Windows Device
The Remote Management Agent starts automatically when the managed device boots up. A default Remote Management policy is created on the managed device when the device is deployed. You can remotely manage the device using this default policy in rights-based authentication mode only. If you create a new Remote Management policy, the new policy overrides the default policy.
If the ZENworks Management Zone setup is spread across two or more NAT-enabled private networks that are interconnected by a public network, you must deploy DNS_ALG on the gateways of these private networks. DNS_ALG ensures that the DNS lookup queries initiated by the ZENworks components return the correct private address mapped hostname and enables the communication between the management console and the managed devices. For more information on DNS_ALG, refer to DNS ALG RFC - 2694 (http://www.ietf.org/rfc/rfc2694).
If you want to remotely manage a device by using its DNS name, ensure that Dynamic DNS service is deployed in the network.
The remote operator can initiate a session in any of the following ways:
You can initiate the various Remote Management operations from the device context or the user context:
Before initiating Remote Management session on Windows and Linux devices, you need to install ZCC Helper. For more information, see Section 2.4.1, Installing ZCC Helper
To initiate a Remote Management session on a device
In ZENworks Control Center, click the Devices tab.
Click Servers or Workstations and select the device you want to remotely manage. Click Action, then select the Remote Management operation you want to perform.
or
In Device Tasks in the left pane, select the Remote Management operation you want to perform.
The available remote operations are:
Remote Control: Displays the Remote Management dialog box, which lets you perform the Remote Control, Remote View, or Remote Execute operations on the managed device.
Remote Diagnostics: Displays the Remote Diagnostics dialog box, which lets you perform a Remote Diagnostics operation on the managed device.
Transfer Files: Displays the File Transfer dialog box, which lets you perform a file transfer operation on the managed device.
Fill in the options in the dialog box that displays. The following table contains information on the various options available:
Field |
Details |
---|---|
Device |
Specify the host name or the IP address of the device you want to remotely manage. |
Operation |
Select the type of the remote operation you want to perform on the managed device. This option is available only in the Remote Management dialog box. |
Application |
Select the application you want to launch on the device to remotely diagnose. This option is available only in the Remote Diagnostics dialog box. |
Authentication |
Select the mode you want to use to authenticate to the managed device. The authentication modes are:
|
Port |
Specify the port number on which the Remote Management service is listening. By default, the port number is 5950 |
Session Mode |
Select one of the following modes for the session:
This option is available only in the Remote Management dialog box. |
Session Encryption |
Ensures that the remote session is secured by using SSL encryption (TLSv1 protocol). |
Enable Logging |
Logs session and debug information in the novell-zenworks-vncviewer.txt file. The system saves the file in the install location of the ZCC Helper. |
Route Through Proxy |
Enables the remote management operation of the managed device to be routed through a remote management proxy. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy. NOTE:The Route Through Proxy option is not yet supported on Linux. Fill in the following fields: Proxy: Specify the DNS name or the IP address of the remote management proxy. By default, the proxy configured in the Proxy Settings panel to perform the remote operation on the device is populated in this field. You can specify a different proxy. Proxy Port: Specify the port number on which the remote management proxy is listening. By default, the port is 5750. NOTE:The Remote Management Audit displays the IP Address of the device that is running the remote management proxy and not the IP address of the management console. |
Route Through Join Proxy |
Enables the remote management operation of the managed device to be routed through a Join Proxy server. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a Join Proxy server. If the managed device you are trying to remotely control is already connected to the Join Proxy, then the Route Through Join Proxy option is selected by default and the values for the Join Proxy and Join Proxy Port options are populated. Join Proxy: If the managed device you are trying to remote control is already connected to the Join Proxy, the DNS name or the IP address of that Join Proxy server is displayed Join Proxy Port: If the managed device you are trying to remote control is already connected to the Join Proxy, the port number on which the Join Proxy server is listening is displayed. When you try to remote control a managed device using Join Proxy, sometimes the configured server might not be available for Join Proxy to update the connection details in the database. In such a context, Join Proxy does not reject the connection of the managed device, but logs a message and allows you to remote control the managed device by manually entering the Join Proxy details in ZENworks Control Center. NOTE:If the Join Proxy IP and Port details are not available in the database for a private network device that is connected to a Join Proxy, you can manually check the Route Through Join Proxy option and specify the Join Proxy IP and Join Proxy Port values. On the other hand if you are trying to launch remote operation without selecting a device and have manually entered an IP address /DNS name, then you need to enter the address and port of the Join Proxy. |
Use the Following Key Pair for Identification |
If an internal certificate authority (CA) is deployed, the following options are not displayed. If an external CA is deployed, fill in the following fields: Private Key: Click Browse to browse to and select the private key of the remote operator. Certificate: Click Browse to browse to and select the certificate corresponding to the private key. This certificate must be chained to the certificate authority configured for the zone. If the certificate contains Enhanced Key Usage section, then the section must contain Client Authentication (1.3.6.1.5.5.7.3.2) NOTE:Microsoft Certificate Services provides a number of certificate templates for issuing a certificate. Some of the certificate templates, such as Web Server, might not have the OID specified by default. If such a certificate is provided during the launch of a remote session, the SSL handshake fails. Consequently, the remote session also fails. So, if you are using Microsoft Certificate Services for issuing a certificate, ensure that the certificate template specifies Client Authentication (1.3.6.1.5.5.7.3.2) in the Enhanced Key Usage section. The supported formats for the key and the certificate are DER, PEM, and PFX. If the PFX format is used, both the key and the certificate must be available in the same file. You should provide this file as an input for both the key and the certificate. Enable Cache Path: Enables the primary key and the certificate paths to be cached on the management console. This option is currently supported only on Windows. |
NOTE:
The Enable Caching and Dynamic Bandwidth Optimization options are available only for a ZENworks 11 SP3 managed device that is remotely managed from a ZENworks 2017 server.
If you do not want to specify the private key and certificate, then ensure that the Allow connection when Remote Management Console does not have SSL certificate option in the security settings of the Remote Management policy is enabled. However, it is not recommended to use this option because it will impact the security of the device.
Click OK to launch the selected remote operation.
If you want to assist a user by performing a remote session on the managed device where they have logged in:
In ZENworks Control Center, click the Users tab.
Click the User Source.
Select the user to remotely manage the device where he or she is logged in.
Click Action, then select the Remote Management operation you want to perform.
The available operations are:
Remote Control: Displays the Remote Management dialog box, which lets you perform the Remote Control, Remote View, or Remote Execute operations on the managed device.
Remote Diagnostics: Displays the Remote Diagnostics dialog box, which lets you perform a Remote Diagnostics operation on the managed device.
Transfer Files: Displays the File Transfer dialog box, which lets you perform a file transfer operation on the managed device.
Fill in the options in the dialog box that displays. The following table contains information on the various options available:
Field |
Details |
---|---|
Device |
Specify the host name or the IP address of the device you want to remotely manage. |
Operation |
Select the type of the remote operation you want to perform on the managed device. This option is available only in the Remote Management dialog box. |
Application |
Select the application you want to launch on the device to remotely diagnose. This option is available only in the Remote Diagnostics dialog box. |
Authentication |
Select the mode you want to use to authenticate to the managed device. The authentication modes are:
|
Port |
Specify the port number on which the Remote Management service is listening. By default, the port number is 5950 |
Session Mode |
Select one of the following modes for the session:
This option is available only in the Remote Management dialog box. |
Session Encryption |
Ensures that the remote session is secured by using SSL encryption (TLSv1 protocol). |
Enable Caching |
Enables caching of the remote management session data to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations. This option is currently supported only on Windows. |
Enable Dynamic Bandwidth Optimization |
Enables detection of the available network bandwidth and accordingly adjusts the session settings to enhance performance. This option is available for Remote Control, Remote View, and Remote Diagnostics operations. |
Enable Logging |
Logs session and debug information in the novell-zenworks-vncviewer.txt file. The system saves the file in the install location of the ZCC Helper. |
Route Through Proxy |
Enables the remote management operation of the managed device to be routed through a remote management proxy. If the managed device is on a private network or is on the other side of a firewall or router that is using NAT (Network Address Translation), the remote management operation of the device can be routed through a remote management proxy. NOTE:The Route Through Proxy option is not yet supported on Linux. Fill in the following fields: Proxy: Specify the DNS name or the IP address of the remote management proxy. By default, the proxy configured in the Proxy Settings panel to perform the remote operation on the device is populated in this field. You can specify a different proxy. Proxy Port: Specify the port number on which the remote management proxy is listening. By default, the port is 5750. NOTE:The Remote Management Audit displays the IP Address of the device that is running the remote management proxy and not the IP address of the management console. |
Use the Following Key Pair for Identification |
If an internal certificate authority (CA) is deployed, the following options are not displayed. If an external CA is deployed, fill in the following fields: Private Key: Click Browse to browse to and select the private key of the remote operator. Certificate: Click Browse to browse to and select the certificate corresponding to the private key. This certificate must be chained to the certificate authority configured for the zone. If the certificate contains Enhanced Key Usage section, then the section must contain Client Authentication (1.3.6.1.5.5.7.3.2) NOTE:Microsoft Certificate Services provides a number of certificate templates for issuing a certificate. Some of the certificate templates, such as Web Server, might not have the OID specified by default. If such a certificate is provided during the launch of a remote session, the SSL handshake fails. Consequently, the remote session also fails. So, if you are using Microsoft Certificate Services for issuing a certificate, ensure that the certificate template specifies Client Authentication (1.3.6.1.5.5.7.3.2) in the Enhanced Key Usage section. The supported formats for the key and the certificate are DER, PEM, and PFX. If the PFX format is used, both the key and the certificate must be available in the same file. You should provide this file as an input for both the key and the certificate. Enable Cache Path: Enables the primary key and the certificate paths to be cached on the management console. This option is currently supported only on Windows. |
Click OK to launch the selected remote operation.
NOTE:If you do not want to specify the private key and certificate, then ensure that the Allow connection when Remote Management Console does not have SSL certificate option in the security settings of the Remote Management policy is enabled. However, it is not recommended to use this option because it will impact the security of the device.
Before starting the remote management operation in standalone mode, install ZCC Helper. For information on installing the ZCC Helper, see Section 2.4.1, Installing ZCC Helper.
To start the Remote Management Operation in standalone mode:
Double-click the nzrViewer.exe file to launch the ZENworks Remote Management Client.
In the ZENworks Remote Management Connection window that displays, specify the DNS name or the IP address of the managed device and the port number in the format IP address~~Port. For example 10.0.0.0~~1000.
Specify the DNS name or the IP address of the remote management proxy and the port number in one of the following formats:
IP address~~Port. For example 10.0.0.0~~5750.
IP address~Port. For example 10.0.0.0~50.
Click Connect.
On successful authentication, the remote session starts. By default, a Remote Control session is launched.
Before you launch a Remote Management operation from the command line, install ZCC Helper. For information on installing ZCC Helper, see Section 2.4.1, Installing ZCC Helper.
To start the Remote Management operation by using the command line options:
At the command prompt, change to the directory where the viewer is installed. The viewer is by default installed to the <User_Application_Data_Folder>\Novell\ZENworks\Remote Management\bin directory.
Execute the following command:
nzrViewer [/options <parameters if any>][IP address of the managed device] [~~port]
The default port for the managed device is 5950.
For information on the available command line options, see Command Line Options for Launching a Remote Operation.
Click Connect.
On successful authentication, the remote session starts. If you have not specified the type of remote operation in the command line, a Remote Control session is launched by default.
However, starting a Remote Management operation by using the command line options has the following limitations:
If you do not want to specify the key, cert, and CAcert command line options in the nzrViewer command for SSL authentication, ensure that the Allow connection when Remote Management Console does not have SSL certificate option in the security settings of the Remote Management policy is enabled. However, this is not recommended because the security of the device is reduced.
If the managed device is a part of the Management Zone, ensure that the certificate presented by the viewer is valid, signed, and chained to the CA, or the SSL authentication fails.
NOTE:When you launch a remote session from ZENworks Control Center (ZCC), the certificate is automatically generated by ZCC and passed to the viewer to launch the session. The certificate is valid for only four days.
The managed device uses the certificate provided by the viewer to identify the remote operator. If the viewer does not provide a certificate, the user is not identified and is recorded as unknown in the permission message, visible signal, and audit logs.
You cannot use a standalone nzrViewer.exe with rights-based authentication to remotely control the managed device. To use the standalone nzrViewer.exe for remote management operations, apply a Remote Management policy with password authentication enabled on the managed device.
In this scenario, the remote session is initiated by the user on the managed device. This is useful if the management console cannot connect to the managed device. The following illustration depicts a remote session initiated by the user at the managed device.
Figure 2-2 Agent-Initiated Session
The user at the managed device can request a remote operator to perform a remote session on the device if:
The remote operator has launched the Remote Management listener to listen to the remote session requests from the user.
The Allow user to request a remote session option is enabled in the Remote Management policy.
The port at which the Remote Management listener listens for the remote connections must be opened in the management console firewall. The default port is 5550.
To request a session:
Right click the ZENworks system tray icon, and select Technician Application. ZENworks Agent windows is displayed.
In the left pane of the agent, navigate to Remote Management, then click General.
Click Request Remote Management Session to display the Request Session dialog box.
The ability to request a Remote Management session is controlled by your administrator, which means the option might be disabled, particularly if your company or department does not have dedicated help desk personnel to serve as on-call remote operators. If the Request Remote Management Session option is not displayed as linked text, the option is disabled.
In the Listening Remote Operators list, select the remote operator you want to open the remote session with.
or
If the remote operator is not listed, provide the operator’s connection information in the Request Connection fields.
In the Operation field, select the type of operation (Remote Control, Remote View, Remote Diagnostics, File Transfer, or Remote Execute) you want to open.
For information about each operation, see Section 1.2, Understanding Remote Management Operations.
Click Request to launch the session.
If you want to allow connections to be made from a public network into a private network, deploy the DNS Application Level Gateway (DNS_ALG). For more information on DNS_ALG, refer to RFC 2694.
To enable a Remote Management Listener to listen for connections from a managed device:
In ZENworks Control Center, click Devices.
In Device Tasks in the left pane, click Remote Management Listener.
In the Remote Management Listener dialog box, specify the port to listen for the remote connections. By default, the port number is 5550.
Click OK.
The ZENworks Remote Management Listener icon appears in the notification area.