Reducing the Number of JoinProxy Servers in a Public Network


Problem Statement

A Micro Focus customer wanted to introduce the Work from Home option for its employees. To resolve system-related issues that might occur on these devices, the customer required remote control access. Remote access can be achieved by the use of JoinProxy servers.

Micro Focus had successfully tested a scenario in which 5000 devices were connected to a JoinProxy server. However, a scenario in which more than 5000 devices are connected to the JoinProxy server was not tested.

JoinProxy Satellite Servers require a public IP address. The customer had more than 5000 devices and they had a limitation on the number of IP addresses that could be exposed in the public network. Hence, they requested Micro Focus for a solution.


For this scenario, multiple JoinProxy Satellite Servers are required, with each server listening on a different port. These servers can be within the office network. Apart from these servers, a device (router) with a static IP and having port-forwarding enabled is required in the public network. This device will redirect connection requests made to a certain port to a particular Join Proxy server.

For example, if there are two Join Proxy servers, Join Proxy1 and Join Proxy2, Join Proxy1 should listen on port 1 and Join Proxy2 should listen on port 2. Port forwarding should be enabled on the router device such that all requests received by the router on Port1 should be redirected to Join Proxy1 and all requests received by the router on Port 2 should be redirected to Join Proxy2.


  • Multiple JoinProxy servers (based on tests, one JoinProxy Satellite Server is required for every 5000 managed device connections)

  • One device (can be a router or any machine where port forwarding can be setup.). This device should be in the public network and it should have a static IP.

Test Setup

The test setup included the following:

  • A managed device in a private network (Example: Home)

  • A Primary Server and a JoinProxy Satellite Server in another private network. (Example: Office)

The Primary and JoinProxy servers could communicate with each other. However, the Primary and Join Proxy servers could not communicate with the managed device.

Between the two networks a router with two network interface cards (NICs) was introduced.

The managed device and the Primary and Join Proxy Servers could connect to this router.

 (click to enlarge image)

Configuration: The managed devices should be divided in such a way that you have one JoinProxy for every 5000 managed devices. For example, if there were 10000 managed devices, the devices should be divided into two sets of 5000 each. The Closest Server Rules should be configured in such a way that the first 5000 devices connects to the Join Proxy1 that is listening on Port 1, and the next 5000 devices connects to Join Proxy2 that is listening on Port 2.

In each of the managed devices, the etc/hosts file should be edited so that the Hostname of the JoinProxy resolves to the IP of the router. That is, JoinProxy1 and JoinProxy2 resolves to the IP of the router.

How it Works

When the agent starts, it tries to connect to the JoinProxy server using the JoinProxy's hostname. Since the hostname resolves to the router's IP, the agent connects to the router. The router is configured in such a way that any request received on port1(Example :7019) will be forwarded to port1(Example :7019) of the JoinProxy server. So the request reaches the JoinProxy and the connection is established between the managed device and the JoinProxy server.


  • The JoinProxy servers should be configured to listen on different ports. For example, if there are two JoinProxy servers, Join Proxy1 should listen on Port 1 and Join Proxy2 should listen on Port 2.

  • The etc/hosts file should be updated on the managed devices to ensure that all the hostnames of the JoinProxy servers resolve to the same router's IP. For example, if the router's IP is, and JoinProxy1, JoinProxy2 are hostnames then JoinProxy1 and JoinProxy2 should resolve to in the etc/hosts file.


  • With this setup, you can perform remote management with Password authentication. To perform remote management with rights-based authentication, the Primary Server should be accessible from the managed devices. Hence, the Primary Servers and the managed devices have to be in the public network.

  • You need to ensure that the devices in the public network are properly secured.



How To-Best Practice
Comment List
  •   in reply to Spencer Caplin
    If I remember right, We have tested with 5K connections on an 4GB RAM Win 7 machine and, out of these, we were doing approximately 250+ remote management operations. Hope this gives you a rough idea..

    Additional Info: In ZENworks 17 Update 1 (17.1.0), JoinProxy has been enhanced to support more than 25K connections. So, If you upgrade to 17.1.0, you wouldn't have to perform the above mentioned steps. :-)

    This is an intresting read, could you confirm the specification needed on the Join Proxy Sat Servers hardware to scale to 5000 connections. So the number of CPU's and Memory specifically.

  •   in reply to Nicolas M1
    Hi, Thanks for your comments. Instead of editing hosts file, we can see whether you can create a properties file and let the agent read it while connecting to JoinProxy. But, that will require some code changes. I'll see how we can take that up.

    Also, can you let me know what you meant by "Did you plan to enhance the remote session mechanism".. So that, we can see how we can see how to address that.
    Hi, This topic is very helpfull. Did you plan to enhance the remote session mechanism because I have a case study to manage more than 10000 devices in the Internet? Home office users increase each day. unfortunately the solution to update the hosts file in each device is very restrictive for us. Thanks