Wikis - Page

Managing Devices Using ZENworks with a Reverse Proxy

1 Likes

Overview

This document will enable you to setup ZENworks Primary Servers behind a Reverse Proxy without exposing them to the Internet, thereby ensuring that the server infrastructure is secure.

Deployment Setup

    • The ZENworks Primary Servers and the Database Servers are within a private network, (192.168.0.x) in a Datacentre that is not accessible to external devices (Example: Devices at home). The ZENworks Primary Servers have access to the Internet (to access the APNS or FCM push notification services).

 

    • Reverse Proxy is in DMZ with two IP addresses (192.168.0.x and a public address) and is accessible to the Datacenter devices as well as the managed devices at home.

 

    • Managed devices at home that have access to the Internet can reach the Reverse Proxy but cannot reach the Datacenter because it is a private network.



 Representation of a Possible Network Setup



NOTE:

    1. Testing Environment: Testing was performed using ZENworks 2017 Update2a and a Nginx 1.12.2 Reverse Proxy Server.

 

    1. Known Issue: ZENworks Control Center (ZCC) cannot be accessed using the IP of the Reverse Proxy Server.



Scenario

ZENworks Primary Servers are using SSL Certificates signed by an internal CA and Reverse Proxy Server is using an SSL certificate signed by an external CA.

Prerequisites

Prior to performing the procedure, you need to ensure that:

    • The Primary Server’s (PS1) SSL certificate is signed by an internal CA (CA1).

 

    • The Nginx server’s (Reverse Proxy) SSL certificate is issued by an external CA (CA2)

 

    • Four types of devices are available for enrollment to test the configuration:

        1. Workstation (W1)

        1. Android mobile device (A1)

        1. iOS mobile device (i1)

        1. DEP enabled iOS mobile device (iDEP1)




Procedure

    1. Ensure that the Nginx Reverse Proxy Server is configured and is up and running with an nginx.conf file, similar to the one displayed below. You can make changes to it based on your requirement.



#user  nobody;

worker_processes  1;

 

events {

    worker_connections  1024;

}

 

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

  #Allowing HTTP requests
#mention below the details of http servers, and their http port

    server {

        listen 80;

        listen       192.168.116.129:80;

        server_name  ps1.acme.com  alias  ps1.alias;

#define the http endpoints for content and collection that should be routed via Nginx

        location /zenworks-content {

                                                  proxy_pass http://192.168.116.129:80/zenworks-content/;

        }

        location /zenworks-setup {

                                                  proxy_pass http://192.168.116.129:80/zenworks-setup;

        }

        location /{

                                                  proxy_pass http://192.168.116.129:80/;

        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   html;

        }                    

    }

         

 #Setting up HTTPS communication
#upstream directive can be used if there are multiple https servers to be routed via Nginx
#have multiple entries one for each server
upstream zenservers{

        #ip_hash;

       server 192.168.116.129:443;

        keepalive 16;

    }

  #Mention the https port, ssl cert that will be presented by Nginx for the incoming requests
    server {

        listen       443 ssl;

        ssl_certificate      C:/nginx-1.12.2/certs/nginx.crt;

        ssl_certificate_key  C:/nginx-1.12.2/certs/nginx.key;

        ssl_session_cache    shared:SSL:1m;

        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;

        ssl_prefer_server_ciphers  on;

 
#define the https endpoints that needs to be served via Nginx
                              location /endpoint/apple {

                                                  proxy_pass https://zenservers/endpoint/apple;

                              }

                              location /endpoint/android {

                                                  proxy_pass https://zenservers/endpoint/android;

                              }

                              location / {

                                                  proxy_pass https://zenservers;

                                                  proxy_http_version 1.1;

                                                  proxy_set_header Connection "";     

                              }

    }

}



    1. Ensure that the LDAP source is configured and PS1 is added as an MDM server.



For more information see:

 




    1. Log into ZENworks Control Center (ZCC) and click PS1.

 

    1. Navigate to Settings > Infrastructure Management > Additional DNS Names and add the Nginx server’s hostname as an additional name for this server.

 

    1. Navigate to Settings > Infrastructure Management > Default DNS Name and select the newly added Nginx server’s hostname from the drop down and set it as the Default DNS.

 

    1. Configure APNs and FCM for push notifications.



For more information, see:

 




    1. Configure and assign the mobile enrollment policy to a user in LDAP.



For more information, see Enrolling a Device.

Note: If you want to enroll an Android device in the work profile mode, create the Android Profile Enrollment Policy and assign it to a user in LDAP.

For more information, see Integrating ZENworks with Android Enterprise.

    1. Enroll the Android device:

        1. Download and install the ZENworks Agent app from play store on the Android device (A1).

        1. Open the app and type the LDAP Username, Password, Domain name (if simple enrollment is not configured), and server address (the Nginx server’s IP or Hostname).

        1. Complete the enrollment wizard. The device (A1) is displayed in ZCC.




You can perform quick tasks such as Refresh, Lock and Install Bundle. You can now manage all your Android devices.

For more information, see Enrolling an Android device.

    1. Enroll the iOS device:

        1. Prior to enrollment, ensure that the CA certificate (CA2) is distributed out of band to the mobile device (i1) either through mail or any other means, and it is installed as a trusted root certificate.

        1. Navigate to Settings > General > About > Certificate Trust Settings, and enable the CA certificate (CA2).

        1. Open the Safari browser and type the following URL to access the ZENworks Endpoint Portal: ZENworks_server_address/zenworks-eup, where ZENworks_server_address is the DNS name or IP address of the ZENworks MDM Server.

        1. Specify the LDAP Username and Password and log in.

        1. Complete the enrollment wizard. The device i1 is displayed in ZCC.




You can perform quick tasks such as Refresh, Lock, and Install Bundle. You can now manage all iOS devices.

For more information, see Enrolling an iOS device.

    1. Enroll the iOS DEP enabled device:

        1. Place the CA certificate (CA2) in the %ZENWORKS_HOME%/conf/security

        1. Name the certificate as “DEP-AdditionalCert.der”

        1. Log into ZCC and navigate to Configuration > Discovery and Deployment> Apple Device Enrollment Program.

        1. Add the Primary Server (PS1) as a DEP server.

        1. Assign the device (iDEP1) to the Primary Server (PS1) in the Apple Device Enrollment Program (DEP) portal.

        1. Click the Sync All button to list iDEP1 in the Devices > Discovered > Apple DEP Devices

        1. Configure the required DEP settings by navigating to Devices > Discovered > Apple DEP Devices (settings) > General and Skip Setup Item Settings
          Note: Every time the “DEP-AdditionalCert.der” certificate is replaced or changed, the DEP settings have to be modified and applied to make sure that the DEP profile is updated with the newly placed “DEP-AdditionalCert.der” certificate.

        1. Unbox the DEP enabled iOS device iDEP1 (or erase the device if already enrolled) and boot it up.

        1. Complete the setup. The device (iDEP1) is listed as a managed device in ZCC.




You can now enroll the DEP devices and manage them using the Nginx Reverse Proxy Server.

For more information, see Enrolling an iOS DEP device.

    1. Install and register the workstation:

        1. Create a configuration location and define it such that the devices at home will have the Reverse Proxy’s hostname listed as one of the URLs in its Closest Servers.For more information, see Creating and Managing Locations.Since we have already added the Reverse Proxy’s hostname as an additional hostname, if the Primary Server (PS1) is included as a closest server in the Configuration location, the moment the device falls into this location it will have the Reverse Proxy’s hostname as one of the URLs in its Closest Server Rules. You might probably want to restrict the IP address of the Primary Server (PS1) to avoid listing the Primary Server’s (PS1’s) IP address in the Closest Server Rule, as this would anyway not be accessible.

        1. Distribute the CA certificate (CA2) out of band to the workstation (W1), either through mail or by any other means, and install it as a trusted root certificate.

        1. Install the PreAgent package. The agent is listed as a managed device in ZCC.




You can now register workstations and servers located in front of the proxy and the devices will be able to fetch the assignments and settings.

Labels:

Announcements-News
How To-Best Practice
Announcement
Comment List
Parents Comment Children
Related
Recommended