Novell ZENWORKS ENDPOINT SECURITY MANAGEMENT Installation Guide
AUTHORIZED DOCUMENTATION
Installation Guide
Novell®
ZENworks® Endpoint Security Management
novdocx (en) 17 September 2009
3.5
July 31, 2009
www.novell.com
ZENworks Endpoint Security Management Installation Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information
on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 17 September 2009
Copyright © 2007-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 17 September 2009
novdocx (en) 17 September 2009
4 ZENworks Endpoint Security Management Installation Guide
Contents
About This Guide 7
1 ZENworks Endpoint Security Management Overview 9
1.1 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2 About the ZENworks Endpoint Security Management Manuals. . . . . . . . . . . . . . . . . . . . . . . . 11
2 Installing ZENworks Endpoint Security Management 13
2.1 Pre-installation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Installation Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 About the Master Installer Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 Installation Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4 Installation Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.5 Before Installing ZENworks Endpoint Security Management. . . . . . . . . . . . . . . . . . . . . . . . . . 14
novdocx (en) 17 September 2009
3 Performing a Single-Server Installation 19
3.1 Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2 Starting the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Performing a Multi-Server Installation 23
5 Performing the Policy Distribution Service Installation 25
5.1 Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.1.1 Typical Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.1.2 Custom Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2 Starting the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6 Performing the Management Service Installation 33
6.1 Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6.1.1 Typical Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.1.2 Custom Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.2 Starting the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
7 Performing the Management Console Installation 45
7.1 Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
7.1.1 Typical Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.1.2 Custom Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.2 Starting the Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.1 Adding eDirectory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2.2 Configuring the Management Console’s Permissions Settings . . . . . . . . . . . . . . . . . 50
7.2.3 Publishing a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Contents 5
8 Endpoint Security Client 3.5 Installation 55
8.1 Basic Endpoint Security Client 3.5 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
8.2 MSI Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8.2.1 Command-line Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
8.2.2 Distributing a Policy with the MSI Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
8.2.3 User Installation of the Endpoint Security Client 3.5 from MSI . . . . . . . . . . . . . . . . . 62
8.3 Running the Endpoint Security Client 3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
9 Endpoint Security Client 4.0 Installation 63
9.1 Basic Endpoint Security Client 4.0 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
9.2 MSI Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
9.2.1 Using the Master Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
9.2.2 Using the Setup.exe File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
9.2.3 Completing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9.2.4 Command Line Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
9.2.5 Distributing a Policy with the MSI Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
9.3 Running the Endpoint Security Client 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
9.4 Features Not Supported In the Endpoint Security Client 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . 70
novdocx (en) 17 September 2009
10 ZENworks Endpoint Security Management Unmanaged Installation 71
10.1 Unmanaged Endpoint Security Client Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
10.2 Stand-Alone Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
10.3 Distributing Unmanaged Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
11 Upgrading 73
A Documentation Updates 75
A.1 July 31, 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A.2 January 5, 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6 ZENworks Endpoint Security Management Installation Guide
About This Guide
This Novell® ZENworks® Endpoint Security Management Installation Guide provides complete
installation instructions for the ZENworks Endpoint Security Management components and assists
administrators in getting those components up and running.
The information in this guide is organized as follows:
Chapter 1, “ZENworks Endpoint Security Management Overview,” on page 9
Chapter 2, “Installing ZENworks Endpoint Security Management,” on page 13
Chapter 3, “Performing a Single-Server Installation,” on page 19
Chapter 4, “Performing a Multi-Server Installation,” on page 23
Chapter 5, “Performing the Policy Distribution Service Installation,” on page 25
Chapter 6, “Performing the Management Service Installation,” on page 33
Chapter 7, “Performing the Management Console Installation,” on page 45
Chapter 8, “Endpoint Security Client 3.5 Installation,” on page 55
Chapter 9, “Endpoint Security Client 4.0 Installation,” on page 63
novdocx (en) 17 September 2009
Chapter 10, “ZENworks Endpoint Security Management Unmanaged Installation,” on page 71
Audience
This guide is written for the ZENworks Endpoint Security Management administrators.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to the Novell Documentation Feedback site (http://www.novell.com/
documentation/feedback.html) and enter your comments there.
Additional Documentation
ZENworks Endpoint Security Management is supported by other documentation (in both PDF and
HTML formats) that you can use to learn about and implement the product. For additional
documentation, see the ZENworks Endpoint Security Management 3.5 documentation Web site
(http://www.novell.com/documentation/zesm35).
About This Guide 7
novdocx (en) 17 September 2009
8 ZENworks Endpoint Security Management Installation Guide
1
ZENworks Endpoint Security
novdocx (en) 17 September 2009
Management Overview
Novell® ZENworks® Endpoint Security Management consists of four high-level functional
components: the Policy Distribution Service, the Management Service, the Management Console,
and the Endpoint Security Client. The figure below shows these components in the architecture:
Figure 1-1 ZENworks Endpoint Security Management Architecture
Endpoint Security Management
Central Management
Location Secure
Active Directory,
LDAP, or NT Domain
Directory Service
ZENworks
Management
Group
Info
Service
SSL Link
SQL
Database
Policy
Distribution
Service
Enterprise
Web Server
DMZ
(Demilitarized Zone)
Encrypted
Policy
Reporting
Information
ZENworks
Security
Client
Office
Home
Coffee
Shop
1
Management
Console
Enterprise Perimeter
On The
Road
The Endpoint Security Client is responsible for enforcement of the distributed security policies on
the endpoint system. When the Endpoint Security Client is installed on all enterprise PCs, these
endpoints can now travel outside the corporate perimeter and maintain their security; endpoints
inside the perimeter receive additional security checks within the perimeter firewall.
The following components are installed on servers that are secured inside the corporate perimeter:
Policy Distribution Service: Responsible for the distribution of security policies to the
Endpoint Security Client and retrieval of reporting data from the Endpoint Security Client. The
Policy Distribution Service can be deployed in the DMZ, outside the enterprise firewall, to
ensure regular policy updates for mobile endpoints.
Management Service: Responsible for user policy assignment and component authentication,
reporting data retrieval, creation and dissemination of ZENworks Endpoint Security
Management reports, and security policy creation and storage.
Management Console: The visible user interface, which runs directly on the server hosting the
Management Service or on a workstation residing inside the corporate firewall with connection
to the Management Service server. The Management Console is used to both configure the
Management Service and to create and manage user and group security policies. Policies are
created, copied, edited, disseminated, and deleted using the Management Console.
ZENworks Endpoint Security Management Overview
9
1.1 System Requirements
Table 1-1 Server Requirements
Item Requirement
Operating System Microsoft* Windows* 2003 Server (32-bit)
Processor Determined by operating system
Disk Space 500 MB if the Microsoft SQL database is not installed locally
5 GB if the Microsoft SQL database is local; a SCSI drive is
recommended
Software One of the following relational database management systems
(RDBMS): SQL Server Standard, SQL Server Enterprise, Microsoft
SQL Server 2000 SP4, SQL 2005; server authentication must be set
to mixed mode to allow both SQL Server and Windows
Authentication mode authentication
novdocx (en) 17 September 2009
Microsoft Internet Information Services (configured for SSL)
Directory Services: eDirectory
.NET framework 3.5
Table 1-2 Standalone Management Console Requirements
Item Requirement
Software One of the following relational database management systems
(RDBMS): SQL Server Standard, SQL Server Enterprise, Microsoft
SQL Server 2000 SP4, SQL 2005, SQL Express, SQL Server 2008;
server authentication must be set to mixed mode to allow both SQL
Server and Windows Authentication mode authentication
Table 1-3 Client Requirements
Item Requirement
Operating System for Endpoint
Security Client 3.5
Windows XP SP1
Windows XP SP2
Windows 2000 SP4
TM
or Active Directory*
The operating system must have Windows Installer 3.1 installed and
all operating system updates applied
Operating System for Endpoint
Security Client 4.0
Processor Determined by operating system
Disk Space 5 MB required, 5 additional MB recommended for reporting data
Windows Vista SP1 (32-bit)
10 ZENworks Endpoint Security Management Installation Guide
1.2 About the ZENworks Endpoint Security Management Manuals
The ZENworks Endpoint Security Management manuals provide three levels of guidance for the
users of the product.
Installation Guide: This guide provides complete installation instructions for the ZENworks
Endpoint Security Management components and assists administrators in getting those
components up and running. This is the guide that you are currently reading.
ZENworks Endpoint Security Management Administration Guide: This guide is written for the
administrators who are required to manage the services, create security policies for the
enterprise, generate and analyze reporting data, and provide troubleshooting for users.
Instructions for completing these tasks are provided in this manual.
ZENworks Endpoint Security Client 3.5 User Guide: This guide is written to instruct the user
on the operation of the Endpoint Security Client. This guide can be sent to all employees in the
enterprise to help them understand how to use the Endpoint Security Client.
novdocx (en) 17 September 2009
ZENworks Endpoint Security Management Overview 11
novdocx (en) 17 September 2009
12 ZENworks Endpoint Security Management Installation Guide
2
Installing ZENworks Endpoint
novdocx (en) 17 September 2009
Security Management
The following sections contain additional information about installing Novell® ZENworks®
Endpoint Security Management:
Section 2.1, “Pre-installation Information,” on page 13
Section 2.2, “Installation Packages,” on page 13
Section 2.3, “Installation Options,” on page 14
Section 2.4, “Installation Order,” on page 14
Section 2.5, “Before Installing ZENworks Endpoint Security Management,” on page 14
2.1 Pre-installation Information
The ZENworks Endpoint Security Management installation software should be physically protected
to prevent any tampering or unauthorized use. Likewise, administrators should review the guidelines
for pre-installation and installation to ensure that the ZENworks Endpoint Security Management
system can function without interruption, or be made vulnerable by inadequate hardware protection.
The administrator installing this software must be the primary administrator for the servers and the
domain. If using enterprise SSL certificates, you must also use the same username to create the SSL
Root Security certificate.
2
2.2 Installation Packages
When installing from the DVD, a master installer program launches that utilizes a simple user
interface that guides the ZENworks Endpoint Security Management administrator through the
installation process. Load the installation DVD on each machine to access the master installer
program to install the desired components.
2.2.1 About the Master Installer Program
At launch, the master installer program displays two menu options: Products and Documentation.
The Products link opens the installation menu. The menu items on this screen launch the designated
installer for each component. In the case of the Endpoint Security Client 3.5 or Endpoint Security
Client 4.0, an additional option is available to launch the installation in Administrator Mode, which
helps the ZENworks Endpoint Security Management administrator create an MSI package for easy
distribution (see Chapter 8.2, “MSI Installation,” on page 57).
For information on the complete operation of the ZENworks Endpoint Security Management
components, see the ZENworks Endpoint Security Management Administration Guide, available
through the Documentation link.
Installing ZENworks Endpoint Security Management
13
2.3 Installation Options
ZENworks Endpoint Security Management back-end components can be installed as either SingleServer or Multi-Server installations. Single-Server installations are ideal for small deployments that
do not require regular policy updates. Multi-Server installations are ideal for large deployments that
require regular policy updates. Consult with Novell Professional Services to determine which
installation type is right for you.
The Endpoint Security Client can operate (when needed) without connectivity to the Policy
Distribution Service. Likewise, a Stand-Alone Management Console can be optionally installed for
evaluation purposes. The installation for this Unmanaged mode of operation is described in
Chapter 10, “ZENworks Endpoint Security Management Unmanaged Installation,” on page 71.
2.4 Installation Order
ZENworks Endpoint Security Management should be installed in the following order:
1. Single-Server Installation or Multi-Server Installation
Policy Distribution Service
novdocx (en) 17 September 2009
Management Service
2. Management Console
3. Endpoint Security Client 3.5 or Endpoint Security Client 4.0
2.5 Before Installing ZENworks Endpoint Security Management
There are a few questions the ZENworks Endpoint Security Management administrator needs to
consider prior to beginning installation:
How will your users receive their ZENworks Endpoint Security Management security
policies?
The options for policy distribution center around whether users should be able to receive a policy
update anywhere, including outside the central network, or if they should receive them only when
they are in (or connected via VPN) a secured network. For organizations planning to frequently
update their ZENworks Endpoint Security Management security policies, a Multi-Server installation
is recommended that places the Policy Distribution Service on a Web server outside the DMZ.
What type of server deployments are available to you?
If your organization only has a few servers available, then a Single-Server installation deployment
may be necessary. If server availability isn't an issue, then the size of your client deployment and the
number of users operating outside the firewall should be taken into consideration.
What is your available SQL Server deployment?
ZENworks Endpoint Security Management creates three SQL databases at installation. If your
deployment is small, you can install the SQL database server on the same server as the Management
Service. For larger deployments, a separate SQL database server should be employed to receive the
data from the Policy Distribution and Management Services.
14 ZENworks Endpoint Security Management Installation Guide
The following RDBMS types are allowed:
SQL Server 2005 and 2008 Standard
SQL Server 2005 and 2008 Enterprise
Microsoft SQL Server 2000 SP4
If you are using Microsoft SQL Server 2005 or Microsoft SQL Server 2008, you need to configure
your SQL server to support ZENworks Endpoint Security Management. The screenshots in the
following procedure are for 2005, but the configuration steps are the same for 2008.
1 Make sure you have Microsoft SQL Server Management Studio.
Management Studio is included with the Standard and Enterprise editions. If you are using the
Express edition (for an evaluation installation), you can download Management Studio Express
from the Microsoft Download Center (http://www.microsoft.com/Downloads/
details.aspx?FamilyID=c243a5ae-4bd1-4e3d-94b8-5a0f62bf7796&displaylang=en).
2 Launch Management Studio (Start menu > All Programs > Microsoft SQL Server 2005 (or
2008) > SQL Server Management Studio).
novdocx (en) 17 September 2009
3 Right-click your SQL server (TC2K3 in the above screen shot), then click Properties.
Installing ZENworks Endpoint Security Management 15
novdocx (en) 17 September 2009
4 Select Security, then make sure that Server Authentication is set to SQL Server and Windows
Authentication mode.
5 Click OK, then exit Management Studio.
6 Launch SQL Server Configuration Manager (Start menu > All Programs > Microsoft SQL
Server 2005 (or 2008) > Configuration Tools > SQL Server Configuration Manager).
7 Expand the SQL Server Network Configuration section, select Protocols for MSSQLSERVER
(where MSSQLSERVER is your server), then make sure that TCP/IP is enabled as shown
below.
16 ZENworks Endpoint Security Management Installation Guide
novdocx (en) 17 September 2009
8 Expand the SQL Native Client Configuration section, select Client Protocols, then make sure
that TCP/IP is enabled as shown below.
9 Exit SQL Server Configuration Manager.
Installing ZENworks Endpoint Security Management 17
Will you use existing certificates to establish SSL communication, or will you use
Novell Self-Signed Certificates?
For disaster recovery and failover designs, you should use enterprise, or otherwise-issued,
Certificate Authority (VeriSign, GeoTrust, Thawte, and so forth) SSL certificates for full
deployments of ZENworks Endpoint Security Management. When using your own certificates, the
Web service certificate and root CA should be created on the machine designated as the Policy
Distribution Service, then distributed to the appropriate machines. To create an Enterprise
Certificate Authority, see the step-by-step instructions for securely setting up a certificate authority,
available at on the Microsoft Web site.
For evaluations or small deployments (fewer than 100 users), you can use ZENworks Endpoint
Security Management self-signed certificates. Novell SSL Certificates are installed onto the servers
when running the typical installation.
How will you deploy your Endpoint Security Clients?
The Endpoint Security Client software can be deployed either individually onto each endpoint or
through an MSI push. Instructions on creating an MSI package can be found in Chapter 8.2, “MSI
Installation,” on page 57.
novdocx (en) 17 September 2009
Do you want policies to be machine-based or user-based?
Policies can be distributed to a single machine, where every user who logs on receives the same
policy, or policies can be set for individual users or groups.
Each installation has several pre-requisites. It is recommended that each check list of prerequisites
be complete before running the installation for any component. Please review the lists on the
following pages:
Chapter 3, “Performing a Single-Server Installation,” on page 19
Chapter 5, “Performing the Policy Distribution Service Installation,” on page 25
Chapter 6, “Performing the Management Service Installation,” on page 33
Chapter 7, “Performing the Management Console Installation,” on page 45
Chapter 8, “Endpoint Security Client 3.5 Installation,” on page 55
18 ZENworks Endpoint Security Management Installation Guide
3
Performing a Single-Server
novdocx (en) 17 September 2009
Installation
ZENworks® Endpoint Security Management Single-Server Installation (SSI) allows both the Policy
Distribution Service and the Management Service to co-exist on the same server, which is not
possible without using this installation option. The server must be deployed inside the firewall for
security purposes, requiring users to receive policy updates only when they are inside the corporate
infrastructure or connected via a VPN.
Deployment of the Single-Server Installation on a Primary Domain Controller (PDC) is not
supported for both security and functionality reasons.
NOTE: It is recommended that the SSI Server be configured (hardened) so as to deactivate all
applications, services, accounts, and other options not necessary to the intended functionality of the
server. The steps involved in doing so depend upon the specifics of the local environment, and so
cannot be described in advance. Administrators are advised to consult the appropriate section of the
Microsoft Technet security webpage (http://www.microsoft.com/technet/security/default.mspx).
Additional access control recommendations are provided in the ZENworks Endpoint Security
Management Administration Guide.
To protect access to only trusted machines, the virtual directory and IIS can be set up to have ACLs.
Reference the articles below:
3
Granting and Denying Access to Computers (http://www.microsoft.com/technet/prodtechnol/
windows2000serv/default.mspx)
Restrict Site Access by IP Address or Domain Name (http://support.microsoft.com/
default.aspx?scid=kb%3BEN-US%3BQ324066)
IIS FAQ: 2000 IP address and domain name restrictions (http://www.iisfaq.com/
default.aspx?View=A136&P=109)
Working With IIS Packet Filtering (http://www.15seconds.com/issue/011227.htm)
For security purposes, it is highly recommended that the following default folders be removed from
any IIS installation:
IISHelp
IISAdmin
Scripts
Printers
We also recommend using the IIS Lockdown Tool 2.1 available at microsoft.com (http://
www.microsoft.com/technet/security/tools/locktool.mspx).
Version 2.1 is driven by supplied templates for the major IIS-dependent Microsoft products. Select
the template that most closely matches the role of this server. If in doubt, the Dynamic Web server
template is recommended.
Performing a Single-Server Installation
19
Ensure that the following prerequisites are in place prior to beginning the installation:
novdocx (en) 17 September 2009
Ensure access to a supported directory service (eDirectory
If you are deploying using an eDirectory service, create an account password that never
TM
or Active Directory).
changes to use for Management Console authentication (see Section 7.2.1, “Adding eDirectory
Services,” on page 49).
For Endpoint Security Client to Single Server server name resolution, validate that the target
computers (where the Endpoint Security Client is installed) can ping the SSI server name. If
unsuccessful, you must resolve this before continuing with the installation. (Change the SSI
server name to FQDN/NETBIOS, change AD to use FQDN/NETBIOS, change DNS
configurations, modifying the local host file on the target computers to include the correct MS
information, and so forth).
Enable or install Microsoft Internet Information Services (IIS) and configure it to accept Secure
Socket Layer (SSL) Certificates.
IMPORTANT: Do not enable the Require secure channel (SSL) check box on the Secure
Communictions page (in the Microsoft Computer Management utility, expand Services and
Applications > expand Internet Information Services (ISS) Manager > expand Web Sites >
right-click Default Web Site > click Properties > click the Directory Security tab > click the
Edit button in the Secure communications group box). Enabling this option breaks the
communication between the ZENworks Endpoint Security Management server and the
ZENworks Endpoint Security client on the endpoint.
If you are using your own SSL certificates, ensure that the Web service certificate and root CA
are loaded on the machine and that server name validated in the previous steps (whether
NETBIOS or FQDN) matches the Issued to value for the certificate configured in IIS.
If you are using your own certificates or have already installed the Novell Self Signed
Certificate, you can validate SSL as well by trying the following URL from a machine that has
the Endpoint Security Client installed:
AuthenticationServer/UserService.asmx
https://SSI_SERVER_NAME/
(where SSI_SERVER_NAME is the server
name). This should return valid data (an html page) and not certificate warnings. Any
certificate warnings must be resolved before installation, unless you opt to use Novell Self
Signed Certificates instead.
Ensure access to a supported RDBMS (Microsoft SQL Server 2000 SP4, SQL Server Standard,
SQL Server Enterprise). Set the database to Mixed mode.
3.1 Installation Steps
Select Single Server Installation from the master installer menu. This installation combines the
installations for the Policy Distribution Service and the Management Service. For more information,
see Chapter 5, “Performing the Policy Distribution Service Installation,” on page 25 and Chapter 6,
“Performing the Management Service Installation,” on page 33.
Like their individual installations, the Typical setting installs the services' defaults and the Novell
self-signing SSL certificates. Custom Installation permits the administrator to determine the
directory paths and permits the use of an enterprise-owned certificate authority.
20 ZENworks Endpoint Security Management Installation Guide
3.2 Starting the Service
The combined Distribution and Management Service launches immediately following installation,
with no reboot of the server required. The Management Console is used to manage both the
Distribution and Management Services using the Configuration feature. For more information, see
ZENworks Endpoint Security Management Administration Guide.
After this installation is complete, the Management Console can be installed on this server. If you
want to install the Management Console on a separate machine, copy the ZENworks Endpoint
Security Management Setup Files folder to the designated Management Console machine to
complete the installation.
Continue with Chapter 5, “Performing the Policy Distribution Service Installation,” on page 25.
novdocx (en) 17 September 2009
Performing a Single-Server Installation 21
novdocx (en) 17 September 2009
22 ZENworks Endpoint Security Management Installation Guide
4
Performing a Multi-Server
novdocx (en) 17 September 2009
Installation
Multi-Server installation is recommended for large deployments or when the Policy Distribution
Service should be placed outside the corporate firewall to ensure that users receive regular policy
updates when they are outside the perimeter. Multi-Server installation must be done on at least two
separate servers. If you attempt to install the separate Policy Distribution Service and the
Management Service on the same server, the installation fails. For more information, see Chapter 3,
“Performing a Single-Server Installation,” on page 19 for a single-server installation.
Multi-Server installation should begin with the Policy Distribution Service installation on a secured
server either outside or inside the corporate firewall. For more information, see Chapter 5,
“Performing the Policy Distribution Service Installation,” on page 25.
After the Policy Distribution Service is installed, the Management Service installation should
follow. For more information, see Chapter 6, “Performing the Management Service Installation,” on
page 33.
It is recommended the Management Console also be installed on this server. For more information,
see Chapter 7, “Performing the Management Console Installation,” on page 45.
Continue with Chapter 5, “Performing the Policy Distribution Service Installation,” on page 25.
4
Performing a Multi-Server Installation
23
Loading...