21.5 Securing DMZ Servers

Since ZENworks Servers are exposed to the Internet at all times, it becomes important to secure access to the services on these servers. The services are categorized into Administration, Endpoint, and the ZENworks Setup page. ZENworks allows you to control access to each of these categories by clicking any of the following icons appearing against a configured server:

To access the page, in ZCC go to Configuration > Infrastructure Management > MDM Servers.

Click Add and select a server as an MDM Server and then configure the Access Control, as required.

  • Administration Access: Click to allow or deny specific IP addresses from accessing Administration functions such as ZCC, ZMAN and so on.

    NOTE:You need to ensure that administration access is not denied for all or else ZCC will remain inaccessible, except from the server in which the access was allowed or denied. Ensure that all Primary Servers in your zone are allowed access so that the internal operations between these servers are not restricted. However, these filters are not applicable for an Appliance web console.

  • Endpoint Access: Click to allow or deny certain IP addresses from accessing endpoint functions such as the ZENworks User Portal, the ZENworks Agent app and so on.

    NOTE:Ensure that all Primary Servers in your zone are allowed access so that the internal operations between the ZENworks Servers will not be restricted.

  • Tools Access: Click to allow or deny certain IP addresses from accessing tools and downloads through the ZENworks Setup URL.

For each of these categories, you can configure filters by clicking . By default, access is allowed for all devices. For each filter, you need to specify the following:

  • Specific IP address, comma separated IP addresses, or an IP range. Each IP address can be specified in CIDR format or the regular format.

  • Allow or Deny access to the specified IP address

  • A short description about the specified set of IP addresses.

Filters are evaluated in the order in which they are listed. If the same IP address appears in multiple filters, then the type of access specified in the first filter is given precedence over the type of access specified in the second filter. For example: The IP address 10.0.0.1 specified in the first filter is denied administration access. However, if the same IP address, appearing as a part of an IP range (10.0.0.0 - 10.255.255.255) that is specified in the second filter, is allowed administration access, then precedence is given to the first filter and IP address 10.0.0.1 will be denied administration access. You can also look up an IP address to identify whether access is allowed or denied for it, by specifying it in the Test access for an IP field. This action is also performed based on the order in which the filters are listed.

After configuring the access controls for one server, you can replicate the same access control configuration in another server. To do this, you need to select the Server for which the access controls are already configured. Subsequently, click Copy Access Controls. In the Copy Access Controls window, select the access controls that you want to copy and Add the server to which these access controls need to be copied.

NOTE:Configuring access controls for a Server that is an Appliance does not secure the Appliance Administration Console. To secure it, you need to specify access restrictions in the Appliance Administration Console itself. For details, see ZENworks Appliance Deployment and Administration Reference.

If a device’s IP address is denied access but the device is still able to contact the ZENworks Server, then you need to check whether the device is communicating with ZENworks using the proxy server. In this case, you need to deny access to the proxy server’s IP address, if you are sure that no other devices are using this proxy server.