The Management Service should be installed on a secure server behind the firewall, and it cannot share the same server as the Policy Distribution Service (with the exception of a single server installation, see Section 3.0, Performing a Single-Server Installation). The Management Service should not be installed outside the network firewall, for security reasons. After the server is selected, note the server name, both the NETBIOS and Fully Qualified Domain Name (FQDN). Deployment of the Management Service on a Primary Domain Controller (PDC) is not supported for both security and functionality reasons.
NOTE:It is recommended that the SSI Server be configured (hardened) so as to deactivate all applications, services, accounts, and other options not necessary to the intended functionality of the server. The steps involved in doing so depend upon the specifics of the local environment, and so cannot be described in advance. Administrators are advised to consult the appropriate section of the Microsoft Technet security webpage. Additional access control recommendations are provided in the ZENworks Endpoint Security Management Administration Guide.
To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs. Reference the articles below:
For security purposes, it is highly recommended that the following default folders be removed from any IIS installation:
IISHelp
IISAdmin
Scripts
Printers
We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com.
Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select the template that most closely matches the role of this server. If in doubt, the Dynamic Web server template is recommended.
Ensure that the following prerequisites are in place prior to beginning the installation:
Ensure access to a supported directory service (eDirectory or Active Directory).
If you are deploying using an eDirectory™ service, create an account password that never changes to use for Management Console authentication (see Section 7.2.1, Adding eDirectory Services).
Ensure Endpoint Security Client to MS server name resolution: validate that the target computers (where the Endpoint Security Client is installed) can ping the MS server name. If successful, this is the value entered in the installation. If unsuccessful, you must resolve this before continuing with the installation.
Enable or install Microsoft Internet Information Services (IIS), ensure ASP.NET is enabled, and configure it to accept Secure Socket Layer (SSL) Certificates.
IMPORTANT:Do not enable the check box on the Secure Communictions page (in the Microsoft Computer Management utility, expand > expand > expand > right-click > click > click the tab > click the button in the Secure communications group box). Enabling this option breaks the communication between the ZENworks Endpoint Security Management server and the ZENworks Endpoint Security client on the endpoint.
If you are using your own SSL certificates, ensure that the root CA is loaded on the machine and that server name validated in the previous steps (whether NETBIOS or FQDN) matches the value for the certificate configured in IIS.
If you are using your own certificates, or you have already installed the Novell Self Signed Certificate, you can validate SSL as well by trying the following URL from a machine that has the Endpoint Security Client installed: https://MS_SERVER_NAME/AuthenticationServer/UserService.asmx (where MS_SERVER_NAME is the server name). This should return valid data (an html page) and not certificate warnings. Any certificate warnings must be resolved before installation.
Ensure access to a supported RDBMS (Microsoft SQL Server 2000 SP4, SQL Server Standard, SQL Server Enterprise, SQL 2005). Set database to Mixed mode.
Copy the ESM Setup Files directory that contains the Policy Distribution Service Setup ID and Root SSL Certificate for the Policy Distribution Service into the installation directory of this server.