The server hosting the ZENworks® Endpoint Security Management Policy Distribution Service should always be reachable by your users, whether within the network or out in the DMZ. Ensure that the required software is installed on the server prior to installation (see System Requirements). After the server is selected, note the server name, both the NETBIOS and Fully Qualified Domain Name (FQDN).
Deployment of the Policy Distribution Service on a Primary Domain Controller (PDC) is not supported for both security and functionality reasons.
NOTE:It is recommended that the SSI Server be configured (hardened) so as to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment, and so cannot be described in advance. Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage. Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide.
To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs. Reference the articles below:
For security purposes, it is highly recommended that the following default folders be removed from any IIS installation:
IISHelp
IISAdmin
Scripts
Printers
We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com.
Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If in doubt, the Dynamic Web server template is recommended.
Please check off the following prerequisites prior to beginning the installation:
Ensure Management Service (MS) to Policy Distribution Service (DS) server name resolution: make sure that the target computer where the MS is installed can ping the DS server name (NETBIOS if the DS is configured inside the network firewall or FQDN if installed outside in the DMZ).
If successful, this is the server name to enter during installation. If unsuccessful, you must resolve this issue before continuing with the installation.
Ensure Endpoint Security Client to DS server name resolution: validate that the endpoint clients (where the Endpoint Security Client is installed) can ping the same DS server name used above. If unsuccessful, you must resolve this issue before continuing with the installation.
Enable or install Microsoft Internet Information Services (IIS), ensure that ASP.NET is enabled, and configure it to accept Secure Socket Layer (SSL) Certificates.
IMPORTANT:Do not enable the check box on the Secure Communictions page (in the Microsoft Computer Management utility, expand > expand > expand > right-click > click > click the tab > click the button in the Secure communications group box). Enabling this option breaks the communication between the ZENworks Endpoint Security Management server and the ZENworks Endpoint Security client on the endpoint.
If you are using your own SSL certificates, ensure that the Web service certificate is loaded on the machine and that server name validated in the previous steps (whether NETBIOS or FQDN) matches the value for the certificate configured in IIS.
If you are using your own SSL certificates, validate the SSL from the MS server to the DS server: open a Web browser on the Management Service and enter the following URL: https://DSNAME (where DSNAME is the server name of the DS). This should return valid data and not certificate warnings (valid data may be "Page under Construction"). Any certificate warnings must be resolved before installation, unless you opt to use Novell Self Signed Certificates instead.
Ensure access to a supported RDBMS (Microsoft SQL Server 2000 SP4, SQL Server Standard, SQL Server Enterprise, SQL Server 2005). Set the database to Mixed mode. This database should be either hosted on the Management Service server or on a shared server secured behind the enterprise firewall.