21.2 Zone Administration

Like other ZENworks Servers, the ZENworks DMZ Server provides the capabilities required for administration of the ZENworks Management Zone. The following sections provide information about controlling access to these administration capabilities:

21.2.1 ZENworks Control Center (ZCC) and Admin Services

This section explains methods to restrict access to ZCC and admin services. The access can be restricted using the following methods:

Method 1: Restrict access using MDM Server

Description

Administrative console used to manage the ZENworks Zone. ZENworks Control Center is available on each ZENworks Primary Server.

Service

ZENworks Server (Tomcat)

Port

443; port 443 access redirects to port 7443

Recommendation

Disable access to both external and internal addresses. ZENworks management can be performed by launching ZCC from any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for management and do not use the ZENworks DMZ Server.

How to Secure Access

Define the ZENworks DMZ Server as an MDM server and use the access control settings to deny ZCC access to external devices.

  1. In ZCC, click Configuration > Management Zone Settings > Infrastructure Management > MDM Servers.

  2. In the MDM Servers list, add the ZENworks Server.

  3. In the Access Control column for the server, click to display the Configure Administration Access dialog.

  4. In the IP Address / Range list, change the --ALL-- entry to Deny access. This denies ZCC access to all IP addresses

    (Optional) At the top of the list, insert an entry that includes all IP addresses (in regular or CIDR format) for which you want to allow ZCC access, then select Allow as the access. This is not recommended.

For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference.

Method 2: Restricting Access using the Valve Parameter

Description

These are the Tomcat webapps used for ZENworks administration.

Service

ZENworks Server (Tomcat)

Port

443 and 80

Recommendation

Disable access to both external and internal addresses. ZENworks management can be performed by any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for management and do not use the ZENworks DMZ Server.

How to Secure Access

Use the Tomcat Remote Address Filter to block external access to the Admin Webservices.

If you want to block external access to all Tomcat Webservices:

  1. Edit the server.xml file:

  2. Add the following entry with the appropriate IP address range. The example blocks requests from IP addresses in the 10.200.x.x range:

    <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="10\.200\.\d+\.\d+"/>

    (Optional) If you want, you can allow access to internal addresses so that ZMAN could be run from internal devices. However, this is not recommended.

  3. Restart the server services.

Notes:

  • Webservice configuration changes are lost whenever a system update is applied to the ZENworks server. You must reconfigure the webservices after the system update.

  • In addition to disabling ZMAN access, blocking the Admin Webservices denies access to any applications that are using the Admin SOAP interface.

21.2.2 ZENworks Download (zenworks-setup)

Description

Download page for ZENworks agent installation files as well as administrative, inventory, and imaging tools.

Service

ZENworks Server (Tomcat)

Port

443; port 443 access redirects to port 7443

Recommendation

Disable access to both external and internal addresses. Access to the ZENworks Download page can be gained from any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for this purpose and do not use the ZENworks DMZ Server.

Be aware that if you disable the ZENworks Download page, any external devices that you want to register to the zone will need to get the Agent installation files another way, such as using VPN to access an internal server or downloading the files from another secure external-facing repository that you’ve copied them too.

How to Secure Access

Define the ZENworks server as an MDM server and use the access control settngs to deny Download page access to external devices.

  1. In ZCC, click Configuration > Management Zone Settings > Infrastructure Management > MDM Servers.

  2. In the MDM Servers list, add the ZENworks Server.

  3. In the Access Control column for the server, click to display the Configure ZENworks Tools Access dialog.

  4. In the IP Address / Range list, change the --ALL-- entry to Deny access. This denies Download age access to all IP addresses

    (Optional) At the top of the list, insert an entry that includes all IP addresses (in regular or CIDR format) for which you want to allow Download page access, then select Allow as the access. This is not recommended.

For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference.

21.2.3 Diagnostics

Description

Diagnostics ports used to get the current status of ZENworks processes.

Service:Port:

ZENworks Loader: 61491

ZENworks Join Proxy: 61492

ZENworks Administration Management: 61495

ZENworks Client Management: 61496

ZENworks API Gateway: 61498

ZENworks Antimalware Service: 61195

Recommendation

All Diagnostics probe requests go from one ZENworks Primary Server to another. Allow access to internal ZENworks Servers but disable access to all external addresses.

How to Secure Access

Configure the firewall to prevent inbound connections on these ZENworks DMZ Server ports from external addresses. Allow inbound connections from any internal ZENworks Servers.

21.2.4 ZENworks Appliance Console

Description

The management console for the ZENworks Appliance.

Port

9443

Recommendation

Disable access to external addresses. Restrict internal access to the IP address of a device, either in the DMZ or on the internal network, from which you can launch a Web browser for the Appliance console

How to Secure Access

In the ZENworks Appliance console:

  1. Click Network.

  2. In Appliance Administration UI (port 9443) Access Restrictions, add the IP addresses (or address range) of internal devices from which the console can be accessed.

OR

Configure the firewall to prevent inbound traffic on this port from external addresses and internal addresses other than the IP address of the designated administration device.