The following sections provide information about controlling access to the capabilities used to manage the ZENworks DMZ Server.
NOTE:Because the ZENworks DMZ Server is also a managed device, the information provided in Device Management applies to managing the device capabilities of the server.
|
Description |
Component that enables the ZENworks DMZ Server 1) to be managed by a remote administrator and 2) to be used by a local administrator to manage other remote devices. It includes multiple pieces:
|
|
Port |
Remote Management Service: 5950 Remote Management Listener: 5500 |
|
Recommendation |
Remote Management can be performed from any ZENworks Server. You should not use the ZENworks DMZ Server to perform remote management of devices. If you want to manage the ZENworks DMZ Server remotely, you should perform the remote management from an internal device or an external device that has a VPN connection to your internal network. This allows you to block the Remote Management ports to all external IP addresses. NOTE: The ZENworks DMZ Server can still be used as a Join Proxy service to allow Remote Management of external devices from an internal ZENworks Server. |
|
How to Secure Access |
If you don’t need to manage the ZENworks DMZ Server remotely, stop the service:
If you do want to manage the ZENworks DMZ Server remotely but only from an internal address, configure the firewall to block inbound connections on port 5950 and 5500 from external addresses. |
|
Description |
Components that are required for various imaging tasks on the ZENworks DMZ Server. |
|
Service: Port |
TFTP Service: 69 Preboot Service: 998 Preboot Policy Service: 13331 DHCP Service: 67 and 4011 |
|
Recommendation |
Imaging can be performed from any ZENworks Server. You should not use the ZENworks DMZ Server to perform imaging of devices. Disable access to both internal and external addresses. |
|
How to Secure Access |
Configure the firewall to prevent traffic on these ports from all addresses. OR Stop the service:
|