mattjones1 Absent Member.
Absent Member.
922 views

Reverse Proxy

Hi All,

I'm setting up a reverse proxy so that our home based users can access the ZENworks server without requiring a VPN connection.

What I want to accomplish is that the home users can login, download bundles and get agent updates. I don't need them to be able to install the agent or register the devices as this is done before they leave the office.

I've been looking at the cool solution that is posted here: https://www.novell.com/communities/coolsolutions/cool_tools/managing-devices-using-zenworks-reverse-proxy/

We've got it working pretty easily but before I put it into the DMZ I am wondering what the home based machines NEED to be able to get to.

In the cool solution it exposes:

[INDENT]http://SERVER/zenworks-setup
http://SERVER/zenworks-content
http://SERVER/
https://SERVER/endpoint/apple
https://SERVER/endpoint/android/
https://SERVER/[/INDENT]

I'd rather not allow access to the zenworks-setup page and also to ZCC. Can these be excluded or will it stop the agent outside the firewall from working?
Labels (1)
0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

Re: Reverse Proxy

Yes....ZCC and Setup pages can be excluded.

For Normal ZCC Servers you can Restrict ZCC as shown here...
https://www.novell.com/documentation/zenworks-2017-update-4/zen_sys_zcc/data/b13o99wh.html
Normally when restirctions are set ...they are set so only internal addressed can be hit.

The Setup page can be restricted the same way but the file to manage is here...
/opt/novell/zenworks/share/tomcat/webapps/zenworks-setup/META-INF/

There is also a setting to disable New Device Registration that can be set on a primary.....
however, it would impact all devices....
If you were to use this...you would not want this set on the Primary Internal Devices hit by default.
This restriction not only impacts "New Device Registration"...it would also impact automatic recovery where a devices registration is lost for unknown reasons.


mattjones;2494474 wrote:
Hi All,

I'm setting up a reverse proxy so that our home based users can access the ZENworks server without requiring a VPN connection.

What I want to accomplish is that the home users can login, download bundles and get agent updates. I don't need them to be able to install the agent or register the devices as this is done before they leave the office.

I've been looking at the cool solution that is posted here: https://www.novell.com/communities/coolsolutions/cool_tools/managing-devices-using-zenworks-reverse-proxy/

We've got it working pretty easily but before I put it into the DMZ I am wondering what the home based machines NEED to be able to get to.

In the cool solution it exposes:

[INDENT]http://SERVER/zenworks-setup
http://SERVER/zenworks-content
http://SERVER/
https://SERVER/endpoint/apple
https://SERVER/endpoint/android/
https://SERVER/[/INDENT]

I'd rather not allow access to the zenworks-setup page and also to ZCC. Can these be excluded or will it stop the agent outside the firewall from working?
mattjones1 Absent Member.
Absent Member.

Re: Reverse Proxy

Thanks Craig, I appreciate your quick response.

While I was looking around for a solution I experimented with the access control in the MDM Servers configuration page.

It seems that I can set access control in there. I denied access from the Internal IP Address of the reverse proxy in Administration Access and Tools Access and it shut off access to ZCC and zenworks-setup. I left Endpoint Access untouched. Can you see a problem with using this instead of editing the configuration files?
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.