The following sections provide information about controlling access to the capabilities used for management of devices:
Description |
Internal devices are those devices physically located within your internal network perimeter or devices that have a VPN connection to your internal network. |
Recommendation |
For best security, internal ZENworks-managed devices should not be allowed to access the DMZ Primary Server. You should restrict access by hiding the DMZ server’s internal IP addresses from the internal devices. Hiding the internal IP addresses ensures that the server is not included in the closest server lists for any of the roles (configuration, collection, content, etc.) and is therefore unreachable by internal devices. |
How to Secure Access |
For detailed instructions, see Configuring Restricted Access to a ZENworks Server in the ZENworks Primary Server and Satellite Reference. Use the instructions to restrict access to any of the server’s internal addresses so that they are not advertised to devices. |
Description |
These are the Tomcat webapps used for device management. For example, the ZENworks agent pulls down assignments, settings, and policies using these services. The Client Webservices are used by the ZENworks agent on traditional Windows, Mac, and Linux client. To control access by MDM clients, see MDM Endpoint Services. |
Service |
ZENworks Server (Tomcat) ZENworks Server (JSON) |
Port |
443 |
Recommendation |
The Client webservices run on secure port 443. For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the webservices only accept authenticated communication (via authentication headers) from the ZENworks agent. If this is not sufficiently secure, you can block access to individual webservices that provide functionality not being used by the ZENworks agent. |
How to Secure Access |
To control individual web service level security, refer to the Controlling Agent Web Services section. Additionally, you can use the Tomcat Remote Address Filter to block access to any unused Client Webservices.
Notes:
|
Description |
This is the Tomcat webservice that enables new devices to register to the ZENworks Management Zone. |
Service |
ZENworks Server (Tomcat) |
Port |
443 |
Recommendation |
If you need to register external devices, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, only authorized devices can register through the server. If you don’t need to register external devices, disabling this webservice in combination with disabling ZENworks Download (zenworks-setup) ensures that no devices can use the DMZ server to register. |
How to Secure Access |
Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. or Use the Registration webservice configuration file to disalllow registration.
|
Description |
|
Service |
ZENserver (Tomcat) |
Port |
443 |
Recommendation |
ZENworks content is encrypted (SSL) when a Primary Server transfers it to another Primary Server, to a Satellite, or to a managed device. For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the Content Service only accepts authenticated communication (via authentication headers) from the ZENworks agent. If this is not sufficiently secure, you can disable the Content Service on the ZENworks DMZ Server and require managed devices to periodically connect to your internal network via VPN to receive content updates. |
How to Secure Access |
Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. If you want to stop ZENworks managed devices from accessing content (note that this does not stop attacks against the services), remove the ZENworks DMZ Server from the Unknown location’s list of available Content servers:
If you want to disable access to the Content Service (to block all attacks against the service), use the Tomcat Remote Address Filter to block access to the zenworks-contentservice and zenworks-content webservices.
Notes:
|
Description |
This is the Client webservice that uploads inventory, audit, and message files from managed devices to the ZENworks server. |
Service |
ZENworks Server (Tomcat) |
Port |
443 |
Recommendation |
ZENworks collection data is encrypted (SSL) when it is transferred between a managed device’s ZENworks agent and the Collection Server (Primary Server or Satellite). For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the Content Service only accepts authenticated communication (via authentication headers) from the ZENworks agent. If this is not sufficiently secure, you can disable the Collection Service on the ZENworks DMZ Server and require managed devices to periodically connect to your internal network via VPN to upload collection data. |
How to Secure Access |
Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. or If you want to stop ZENworks managed devices from uploading inventory, audit, and message data to the server (note that this does not stop attacks against the service), remove the ZENworks DMZ Server from the Unknown location’s list of available Collection servers:
If you want to disable access to the Collection Service (to block all attacks against the service), use the Tomcat Remote Address Filter to block access to the zenworks-fileupload webservice.
Notes:
|
Description |
This is the Client webservice that authenticates managed devices (end users) to ZENworks. |
Service |
ZENworks Server (Tomcat) |
Port |
443 and 2645 |
Recommendation |
For best security, we strongly recommend that you enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. When the ZENworks DMZ Server is “secured”, the Authentication Service only accepts authenticated communication (via authentication headers) from the ZENworks agent. If your ZENworks system does not use User Authentication, we recommend that you disable this webservice. If you do use User Authentication, the authentication occurs on Tomcat secure port 443. To provide additional security, you should block inbound connections on port 2645 (see Authentication Port (2645)). |
How to Secure Access |
Enable server-agent secure communication as explained in Secure Communication between Managed Devices and ZENworks Servers. or If you want to stop ZENworks managed devices from authenticating (note that this does not stop attacks against the service), remove the ZENworks DMZ Server from the Unknown location’s list of available Authentication servers:
If you want to disable access to the Authentication Service (to block all attacks against the service), use the Tomcat Remote Address Filter to block access to the CasaAuthTokenSvc webservice.
Notes:
|
Description |
Additional Tomcat port that is used by Windows managed devices for authentication. |
Service |
External Casa |
Port |
2645 |
Recommendation |
Disable inbound connections on this port. Allowing inbound connections exposes all existing services (not just the Authentication service) to external attacks. When the port is blocked, authentication takes place through Tomcat port 443. |
How to Secure Access |
Configure the firewall to prevent inbound traffic on this port from external addresses. |
Description |
These are the Tomcat Client Webservices used for mobile device management. This includes ActiveSync and ZENworks End User Portal access. |
Service |
ZENworks Server (Tomcat) |
Port |
443 |
Recommendation |
If you are not using ZENworks to manage mobile devices, disable these Client webservices. If you are managing mobile devices, these Client webservices use secure port 443. If this is not sufficiently secure, you can restrict access to specific IP addresses or ranges of addresses. |
How to Secure Access |
To completely disable the MDM Endpoint Services, use the Tomcat Remote Address Filter to block access to the endpoint webservice:
To restrict access to specific IP addresses, use the MDM Server access control settings to specify the IP addresses:
For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference. |
Description |
The Tomcat Client webservice that serves the JNLP files required when using Remote Management to remote SSH to Linux Servers. |
Service |
ZENworks Server (Tomcat) |
Port |
7443 |
Recommendation |
Remote Management can be performed from any ZENworks Server. You should not use the ZENworks DMZ Server to perform remote management of devices. Disable access to both internal and external addresses. |
How to Secure Access |
Use the Tomcat Remote Address Filter to block access to the zenworks-remote-ssh webservice.
Notes:
|
Description |
The service that maintains connections between two devices on different private networks (for example, devices on opposite sides of a firewall or a NAT-enabled router). When used with ZENworks Remote Management, Join Proxy allows a device on the internal network to perform remote management of a device on an external network. |
Port |
7019, 7950 |
Recommendation |
Block the ports to inbound connections if you are not using the ZENworks DMZ Server as a Join Proxy. If you use the server as a Join Proxy, allow both inbound connections from external ZENworks managed devices as well as internal devices. Authentication is used to secure the connections. |
How to Secure Access |
If the ZENworks DMZ Server is not functioning as a Join Proxy: Configure the firewall to prevent traffic on these ports 7019 and 7950 from internal and external addresses. OR Stop the microfocus-zenjoinproxy.service on the ZENworks server. |
Description |
Used by the ZENworks agent for Quick Tasks. |
Service |
Webservice |
Port |
7628 |
Recommendation |
Connection uses authentication. Allow. |
How to Secure Access |
Configure the firewall to prevent traffic on this ports from external addresses. |