Like other ZENworks Servers, the ZENworks DMZ Server provides the capabilities required for administration of the ZENworks Management Zone. The following sections provide information about controlling access to these administration capabilities:
This section explains methods to restrict access to ZCC and admin services. The access can be restricted using the following methods:
Description |
Administrative console used to manage the ZENworks Zone. ZENworks Control Center is available on each ZENworks Primary Server. |
Service |
ZENworks Server (Tomcat) |
Port |
443 and 80; port 80 access redirects to port 443 |
Recommendation |
Disable access to both external and internal addresses. ZENworks management can be performed by launching ZCC from any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for management and do not use the ZENworks DMZ Server. |
How to Secure Access |
Define the ZENworks DMZ Server as an MDM server and use the access control settings to deny ZCC access to external devices.
For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference. |
Description |
These are the Tomcat webapps used for ZENworks administration. |
Service |
ZENworks Server (Tomcat) |
Port |
443 and 80 |
Recommendation |
Disable access to both external and internal addresses. ZENworks management can be performed by any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for management and do not use the ZENworks DMZ Server. |
How to Secure Access |
Use the Tomcat Remote Address Filter to block external access to the Admin Webservices. If you want to block external access to all Tomcat Webservices:
Notes:
|
Description |
Download page for ZENworks agent installation files as well as administrative, inventory, and imaging tools. |
Service |
ZENworks Server (Tomcat) |
Port |
443 and 80; port 80 access redirects to port 443 |
Recommendation |
Disable access to both external and internal addresses. Access to the ZENworks Download page can be gained from any ZENworks Primary Server. We recommend that you use internal ZENworks Servers for this purpose and do not use the ZENworks DMZ Server. Be aware that if you disable the ZENworks Download page, any external devices that you want to register to the zone will need to get the Agent installation files another way, such as using VPN to access an internal server or downloading the files from another secure external-facing repository that you’ve copied them too. |
How to Secure Access |
Define the ZENworks server as an MDM server and use the access control settngs to deny Download page access to external devices.
For more information, see Securing MDM Servers in the ZENworks Mobile Management Reference. |
Description |
Diagnostics ports used to get the current status of ZENworks processes. |
Service:Port: |
ZENworks Loader: 61491 ZENworks Join Proxy: 61492 ZENworks CASA: 61493 ZENworks Xplat Agent: 61494 ZENworks Antimalware Service: 61195 |
Recommendation |
All Diagnostics probe requests go from one ZENworks Primary Server to another. Allow access to internal ZENworks Servers but disable access to all external addresses. |
How to Secure Access |
Configure the firewall to prevent inbound connections on these ZENworks DMZ Server ports from external addresses. Allow inbound connections from any internal ZENworks Servers. |
Description |
The management console for the ZENworks Appliance. |
Port |
9443 |
Recommendation |
Disable access to external addresses. Restrict internal access to the IP address of a device, either in the DMZ or on the internal network, from which you can launch a Web browser for the Appliance console |
How to Secure Access |
In the ZENworks Appliance console:
OR Configure the firewall to prevent inbound traffic on this port from external addresses and internal addresses other than the IP address of the designated administration device. |