Novell ZENworks Network Access Control Installation Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This Novell software product includes open-source software components. Novell conforms to the terms and
conditions that govern the use of the open source components included in this product. Users of this product have
the right to access the open source code and view all applicable terms and conditions governing opens source
component usage. Visit http://www.novell.com/products/zenworks/networkaccesscontrol/opensource to access
open source code, applicable terms and conditions, and related information.
novdocx (en) 24 March 2009
novdocx (en) 24 March 2009
4Novell ZENworks Network Access Control Installation Guide
6Novell ZENworks Network Access Control Installation Guide
What You Need to Get Started
You need the following prior to installing and running Novell® ZENworks® Network Access
Control:
Minimum system (hardware and software) requirements – See Chapter 2, “System
Requirements,” on page 23
IP addresses you will enter during the set up process – See Appendix A, “Installation and
Configuration Check List,” on page 55
Install CD – See Chapter 3, “Installing Novell ZENworks Network Access Control,” on
page 31
This Installation Guide helps you install and set up Novell ZENworks Network Access Control. The
Novell ZENworks Network Access Control Users Guide (available on the CD in the /docs
directory and through the online help links in Novell ZENworks Network Access Control) provides
Novell ZENworks Network Access Control configuration information and task-based instructions.
novdocx (en) 24 March 2009
What You Need to Get Started7
novdocx (en) 24 March 2009
8Novell ZENworks Network Access Control Installation Guide
1
Deployment Flexibility
Novell® ZENworks® Network Access Control v5.0 allows you to deploy multiple Enforcement
servers (ESs) across a network and manage them from one central Management server (MS). You
create logical groups of ESs by joining them to an Enforcement cluster.
The Novell ZENworks Network Access Control MS specifies many aspects of the Enforcement
clusters; for example, the MS specifies the enforcement method (inline, DHCP, or 802.1X), how
often the endpoints are retested, the tests run on the endpoints, and how to control the endpoints’
access.
The Novell ZENworks Network Access Control ESs detect and test endpoints on the network for
compliance.
You can deploy each Novell ZENworks Network Access Control cluster in one of the following
configurations:
Inline — When deploying Novell ZENworks Network Access Control inline, Novell
ZENworks Network Access Control monitors and enforces all endpoint traffic. When Novell
ZENworks Network Access Control is deployed as a single-server installation, Novell
ZENworks Network Access Control becomes a Layer 2 bridge that requires no changes to the
network configuration settings. When Novell ZENworks Network Access Control is installed
in a multiple-server installation, you might have to configure the switch that connects the
Novell ZENworks Network Access Control Enforcement servers to use Spanning Tree
Protocol (STP) if STP is not already configured. Novell ZENworks Network Access Control
allows endpoints to access the network or blocks endpoints from accessing the network based
on their Internet Protocol (IP) address with a built-in firewall (iptables).
novdocx (en) 24 March 2009
1
DHCP — When deploying Novell ZENworks Network Access Control inline with a Dynamic
Host Configuration Protocol (DHCP) server, all DHCP requests pass through the Novell
ZENworks Network Access Control server Layer 2 bridge. For a quarantined endpoint, Novell
ZENworks Network Access Control distributes the quarantined IP address for the endpoint. If
Novell ZENworks Network Access Control allows the endpoint to have access, Novell
ZENworks Network Access Control allows your real DHCP server to distribute a nonquarantined IP address. Novell ZENworks Network Access Control assigns a DHCP IP address
based on the quarantine area parameters you define during configuration. You can place
restrictions on network access either at the gateway for the endpoint using Access Control Lists
(ACLs), or on the endpoint by removing the endpoint’s gateway and adding static routes for
accessible networks.
802.1X — When deploying Novell ZENworks Network Access Control in an 802.1X
environment, you must install it where it can communicate with the Remote Authentication
Dial-In User Service (RADIUS) server (or, Novell ZENworks Network Access Control has a
built-in RADIUS server that you can use). The RADIUS server communicates with the switch,
which performs the quarantining by moving ports or MAC addresses in and out of virtual local
area networks (VLANs).
Deployment Flexibility
9
The following figures illustrate various deployment methods:
1.1 Deploying Novell ZENworks Network Access
Control Inline
The ES’s position in the network is between the endpoints and the rest of the network; acting as a
gateway and only allowing endpoints access to network resources that have met the necessary
security requirements. Novell ZENworks Network Access Control uses two network interfaces to
bridge traffic between endpoints and the rest of the network. Novell ZENworks Network Access
Control uses a high-speed, Layer 2 bridge; network IP address changes are not required. Since
Novell ZENworks Network Access Control itself denies endpoints access to the network, policy
enforcement using internal routers, switches, or other endpoints is not required.
Novell ZENworks Network Access Control utilizes a pass-through authentication feature that
allows it to work with any virtual private network (VPN), remote access server (RAS), and network
authentication protocol or directory.
By default, an onboard firewall blocks all traffic from endpoints. Novell ZENworks Network
Access Control allows network access to only successfully tested endpoints (or when there is a grace
period for failed tests). When a test or tests pass, Novell ZENworks Network Access Control inserts
rules into the onboard firewall to allow all traffic from the endpoint. Novell ZENworks Network
Access Control uses a proprietary method to uniquely identify each endpoint as it connects to the
network, and does not install cookies or software on the end-user’s endpoint.
NOTE: When the MS and ES are installed on the same server (single-server Installation), that
server’s position in the network must be between the endpoints and the rest of the network.
Deployment Flexibility11
1.2 Deploying Novell ZENworks Network Access
Control Using DHCP
When you configure Novell ZENworks Network Access Control with a DHCP quarantine area, the
Novell ZENworks Network Access Control ES must sit inline with your DHCP server. If this is not
possible, you must configure a remote host for Device Activity Capture (DAC) as described in the
User’s Guide, Remote Device Activity Capture with a quarantined endpoint, the ES responds to the
DHCP request and blocks the request from getting to the main DHCP server. When the endpoint is
allowed access, Novell ZENworks Network Access Control does not respond to the DHCP request
and lets the request through to the main DHCP server which responds with normal DHCP settings.
The Novell ZENworks Network Access Control DHCP server can respond to quarantined endpoints
with one of these two types of DHCP settings:
DHCP settings for a separate quarantine subnetwork — In this case, network access is
restricted by adding ACLs to your router between the quarantine subnetwork and all other
networks. You must also add an IP helper address for the Novell ZENworks Network Access
Control ES, and a secondary IP address for the quarantined subnetworks gateway to the router.
DHCP settings using static routes — In this case, network access is restricted by giving the
endpoint a normal IP address but not assigning a gateway. The advantage of this method is that
it requires only one router change to add an IP helper address for the Novell ZENworks
Network Access Control ES. Also, some routers do not like multi-netting, which is required by
the first method and not by this method of DHCP enforcement. The Novell ZENworks
Network Access Control ES uses the following DHCP settings:
novdocx (en) 24 March 2009
Gateway — None
Netmask — 255.255.255.255
DNS — Novell ZENworks Network Access Control ES IP address
Static routes — Configurable list of accessible IP addresses and networks
These DHCP settings effectively restrict all network access except to the IP addresses and networks
specified as static routes in the accessible endpoints and services area. A list of Web sites can also be
configured as accessible. You can access these Web sites through a proxy server, which is built into
the Novell ZENworks Network Access Control ES. The Novell ZENworks Network Access Control
ES responds to DHCP INFO requests to automatically configure the proxy server in the browser.
Once the endpoint is allowed access, the IP address is automatically renewed and the main DHCP
server assigns an IP address in the main LAN.
NOTE: When the MS and ES are installed on the same server (single-server Installation), that
server’s position in the network must be inline with your DHCP server. It is the ES that responds to
the DHCP request and blocks the request from getting to the main DHCP server.
TIP: When using DHCP mode and connecting directly to the DHCP server's network interface, be
sure to use a crossover cable.
12Novell ZENworks Network Access Control Installation Guide
The following figure shows an example installation scenario for a simple (one LAN) setup with
enforcement using ACLs on a router:
Figure 1-5 Single-server Installation, DHCP Mode, Simple Example
novdocx (en) 24 March 2009
Deployment Flexibility13
The following figure shows an example installation scenario for a complex (multiple LAN) setup
with enforcement using ACLs on a router:
Figure 1-6 Single-server Installation, DHCP Mode, Complex Example
novdocx (en) 24 March 2009
14Novell ZENworks Network Access Control Installation Guide
The following figure shows an example installation scenario for a setup with enforcement with static
routes on the endpoint:
1.3 Deploying Novell ZENworks Network Access
Control Using 802.1X
To configure Novell ZENworks Network Access Control as 802.1X-enabled, install it with one of
three different configurations, depending on your network environment (see Figure 1-8 on page 16):
1 Use the built-in Novell ZENworks Network Access Control RADIUS server to proxy to any
other RADIUS server. In this configuration, the switch performs the 802.1X authentication
against the Novell ZENworks Network Access Control RADIUS server, which proxies the
request to another RADIUS server. During the return proxy of the authentication request, the
Novell ZENworks Network Access Control ES instructs the switch in which VLAN is to place
the endpoint based on its test status.
2 Use the built-in Novell ZENworks Network Access Control RADIUS server and user accounts.
In this configuration, the switch performs the 802.1X authentication against the Novell
ZENworks Network Access Control RADIUS server. The Novell ZENworks Network Access
Control ES instructs the switch in which VLAN to place the endpoint, based on its test status.
3 Use the IAS plug-in to integrate with your existing radius server. In this configuration, the
switch performs the 802.1X authentication against the Microsoft Internet Authentication
Service (IAS) RADIUS server. A Novell ZENworks Network Access Control plug-in to the
IAS RADIUS server is available that instructs the switch in which VLAN to place the endpoint
based on its test status.
NOTE: With a single-server Installation, the ES instructs the switch in which VLAN to place the
endpoint.
Deployment Flexibility15
TIP: If the ES cannot see traffic on a mirrored port on a switch, you must configure a remote host
for Device Activity Capture (DAC) as described in the User’s Guide, Remote Device Activity
Capture.
A sample deployment is shown in the following figure:
Figure 1-8 802.1X Enforcement
novdocx (en) 24 March 2009
16Novell ZENworks Network Access Control Installation Guide
1.4 Installing the Network Interface Cards
The number of network interface cards (NICs) required depends on the installation method selected
as described in this section.
1.4.1 Inline
The inline installation of Novell ZENworks Network Access Control, where the MS and ES are
installed on a single server, requires two network interface cards (NICs) installed for Novell
ZENworks Network Access Control to operate properly.
The inline installation of Novell ZENworks Network Access Control where the MS and ES are
installed on different servers requires at least three NICs; one for the MS and two for each ES.
novdocx (en) 24 March 2009
The inline installation interfaces form a bridge from one part of your network to another as shown in
the following figure. The Linux
eth0, eth1, and so on). It is very important that you connect the eth0 interface to your local area
network (LAN) side, and eth1 to the Virtual Private Network (VPN) side (for inline mode or for
the main DHCP server in DHCP mode).
802.1X-enabled Novell ZENworks Network Access Control installations require one NIC where the
MS and ES are installed on the same server (see Figure 1-11), and two NICs where the MS and ES
are installed on different servers. In 802.1X mode, eth1 on Novell ZENworks Network Access
Control is used to discover endpoints on the network. To discover endpoints on the local network,
eth1 can simply be plugged into a port on that subnet because it receives broadcast traffic. To
discover endpoints on other networks, eth1 must be connected to a mirrored port or a port that is
part of a tagged VLAN trunk to detect traffic from endpoints on these other networks. Usually,
mirroring the ports in which the DNS and DHCP server resides detects new endpoints sufficiently.
TIP: It is strongly recommended that you use the Intel NIC cards. If you use a different NIC card,
you might be unable to connect, or experience unpredictable results and availability.
1.4.4 Determining eth0 and eth1
To determine which interface is eth0 and which is eth1 using ethtool:
1 After installing Novell ZENworks Network Access Control, plug an Ethernet cable into only
one of the interfaces.
2 Log into the Novell ZENworks Network Access Control MS as root and enter one of the
following commands:
2a ethtool eth0
2b ethtool -p ethn x
Where:
n is the number of the Ethernet interface, for example 0
18Novell ZENworks Network Access Control Installation Guide
x is the number of seconds to allow the lights to blink
3 The return values are similar to the following, which also indicates that the connected interface
is eth0:
# ethtool eth0
Settings for eth0:
Supported ports: [ MII ]
Supported link modes:10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Current message level: 0x000000ff (255)
Link detected: yes
novdocx (en) 24 March 2009
TIP: In normal operation, Novell ZENworks Network Access Control does not respond to Internet
Control Message Protocol (ICMP or ping) echo requests.
1.5 Deploying Novell ZENworks Network Access
Control in VPN Mode on a Different Network
When Novell ZENworks Network Access Control is deployed in VPN mode, the eth1 interface on
Novell ZENworks Network Access Control is usually connected directly (either by way of a
crossover cable, isolated switch, or VLAN) to the LAN-facing side of the VPN concentrator. If the
same logical subnet (such as, 10.10.0.0/16) is used for Novell ZENworks Network Access Control,
the concentrator, and the VPN clients, no modifications need be made.
However, problems can arise if the following conditions are all true:
Novell ZENworks Network Access Control is in a different logical subnet than that used by the
VPN concentrator OR the VPN client endpoints.
The router on the LAN (eth0) side of Novell ZENworks Network Access Control is configured
for best-practices egress filtering, and will not route packets that have a source IP address
outside the network segment from which they appear to originate.
See the SANS Egress Filtering FAQ (http://www.sans.org/reading_room/whitepapers/
firewalls/1059.php) for a more thorough discussion of egress filtering.
The most obvious symptom of this situation is that Novell ZENworks Network Access Control will
not be able to redirect endpoint clients (they will get a blank browser page that appears to take
forever to load) but the endpoint browser is able to browse directly to https://<Novell ZENworks Network Access Control_IP_Address>:89/ and get tested.
Deployment Flexibility19
For example, for the following IP addresses:
Router IP — 10.1.90.254, on a /24
Novell ZENworks Network Access Control IP — 10.1.90.130, on a /24
VPN concentrator IP — 10.1.90.131, on a /24
VPN client IP range —10.1.105.0/24
The VPN concentrator is configured to hand out IP addresses on the 10.1.105.0/24 subnet, while
Novell ZENworks Network Access Control and the VPN concentrator itself are on the 10.1.90.0/24
subnet. Both Novell ZENworks Network Access Control and the VPN concentrator have a default
route set through 10.1.90.254 which is a router or Layer 3 switch on the LAN (eth0) side of Novell
ZENworks Network Access Control.
Because a connecting VPN endpoint is not on the same subnet as Novell ZENworks Network
Access Control, all of the packets that Novell ZENworks Network Access Control sends (in
response to HTTP requests from the endpoint) go to the router at 10.1.90.254, which knows to send
them (back through the Novell ZENworks Network Access Control bridge) to the VPN concentrator
for a next hop. For normal communication (such as testing traffic) between Novell ZENworks
Network Access Control and an endpoint, this works fine, even if it seems a bit inefficient.
novdocx (en) 24 March 2009
However, when Novell ZENworks Network Access Control redirects an HTTP connection, it first
constructs an HTTP redirect with a source IP address corresponding to the original destination of the
connection.
For example:
1. The endpoint connects to the VPN, and the browser requests www.google.com.
2. Novell ZENworks Network Access Control intercepts the packets addressed to google.com.
3. Novell ZENworks Network Access Control constructs an HTTP redirection to the Novell
ZENworks Network Access Control IP, using packets which have a source IP address of
www.google.com.
4. Novell ZENworks Network Access Control sends the constructed redirect to the VPN endpoint
using the Novell ZENworks Network Access Control default route.
Those packets go to the LAN side router, which in our scenario is configured with best-practices
egress filtering. The router treats those packets as errors (because they are marked with a source IP
address that should not emanate from that network segment) and drops them. This is why testing
works when the endpoint connects directly to emanate—the response packets still go to the LANside router, but it routes them appropriately because they have a valid source address.
The solution is to add a static route to Novell ZENworks Network Access Control so that it knows to
send packets addressed to 10.1.105 via the VPN concentrator instead of the LAN-side router, and it
will redirect correctly.
You also want to make the static route addition permanent across reboots.
To add a permanent static route to the Novell ZENworks Network Access Control
server:
1 Log in as root to the Novell ZENworks Network Access Control server using SSH or directly
with a keyboard.
20Novell ZENworks Network Access Control Installation Guide
2 Open the following file with a text editor, such as vi.
/etc/rc.local
3 Add something like the following:
#
# explicit routes for VPN subnets should go to the VPN router,
# not the default gateway
#
/sbin/route add -net 10.1.105.0/24 gw 10.1.90.131
Where, for other network configurations or additional VPN profiles you need to add routes
appropriate to the subnet or subnets involved.
novdocx (en) 24 March 2009
Deployment Flexibility21
novdocx (en) 24 March 2009
22Novell ZENworks Network Access Control Installation Guide
2
System Requirements
The following sections contain more information:
Section 2.1, “General System Requirements,” on page 23
Section 2.2, “Important Browser Settings,” on page 24
2.1 General System Requirements
The following hardware and software is required to install and operate Novell® ZENworks®
Network Access Control.
Table 2-1 ZENworks Network Access Control System Requirements
ItemMinimumRecommended
novdocx (en) 24 March 2009
2
Server — A dedicated server or servers for product installation
with the following minimum system requirements:
ProcessorPentium 4 2 GHz Pentium 4 or
RAM2 GB4 GB
Disk space73 GB146 GB
Multiple-server installation:
MS installation — One server-class network
interface cards (NICs)
and —
ES installation —
DHCP — Two server-class network interface
cards (NICs)
Inline — Two server-class network interface cards
(NICs)
802.1X-enabled installation — One server-class
network interface cards
Single-server installation — Two server-class
network interface cards (NICs)
10/100/1000
(Intel)
higher 2.8 GHz
10/100/1000
(Intel)
Open PCI slot if using HA Bypass cardoptionaloptional
CD-ROM driveyesyes
An Internet connection or a web proxy server that
allows outbound HTTPS communications from the
MS.
yesyes
System Requirements
23
ItemMinimumRecommended
novdocx (en) 24 March 2009
Workstation — A workstation running one of the following
browsers with 128-bit encryption:
Windows —
Mozilla version 1.7
Mozilla Firefox version 1.5 or later
Internet Explorer 6.0 or later
Linux —
Mozilla version 1.7
Mozilla Firefox version 1.5 or later
Mac OS X —
Mozilla Firefox version 1.5 or later
License — A license keyyesyes
Product updates — The latest Novell ZENworks Network Access
Control product updates
yesyes
yesyes
TIP: It is strongly recommended that you use the server-class Intel NIC cards. If you use a different
NIC card, you might be unable to connect, or experience unpredictable results and availability.
NOTE: Your license key is emailed to you. If you did not receive one, contact Novell Support
(http://www.novell.com/support) or call 800-858-4000.
2.2 Important Browser Settings
The following sections contain more information:
Section 2.2.1, “Pop-up Windows,” on page 24
Section 2.2.2, “Active Content,” on page 25
Section 2.2.3, “Minimum Font Size,” on page 26
Section 2.2.4, “Page Caching,” on page 27
Section 2.2.5, “Temporary Files,” on page 28
2.2.1 Pop-up Windows
The Novell ZENworks Network Access Control reports capability uses a pop-up window. In order
for you to run reports on Novell ZENworks Network Access Control, you must allow pop-up
windows from the Novell ZENworks Network Access Control server.
To allow pop-up windows in Internet Explorer:
Internet Explorer browser>>Tools>>Pop-up blocker>>Pop-up blocker settings
1 Enter the IP address or partial IP address of the Novell ZENworks Network Access Control
MS.
24Novell ZENworks Network Access Control Installation Guide
2 Click Add.
3 Click Close.
To allow pop-up windows in Mozilla:
Mozilla browser>>Edit>>Preferences>>Privacy & Security>>Popup Windows
1 Select the Block unrequested popup windows check box.
2 Click Allowed sites.
3 Enter the IP address or partial IP address of the Novell ZENworks Network Access Control
MS.
4 Click Add.
5 Click OK.
6 Click OK.
To allow pop-up windows in Windows or Linux Firefox:
Firefox browser>>Tools>>Options>>Content
novdocx (en) 24 March 2009
1 Clear the Block Popup Windows check box.
2 Click OK.
To allow pop-up windows in Mac Firefox:
Firefox menu>>Preferences>>Content
1 Clear the Block Popup Windows check box.
2 Close the Content window.
2.2.2 Active Content
If you see the following Active Content message at the top of the browser window when you access
the Novell ZENworks Network Access Control help feature. perform the instructions in this section
to allow Active Content to display.
Figure 2-1 Internet Explorere Security Warning Message
To allow Active Content to display:
1 Click on the message box to display the options (Figure 2-2).
Figure 2-2 IE Security Message Options
System Requirements25
2 Select Allow Blocked Content. The Security Warning window appears:
Figure 2-3 IE Security Warning Pop-up Window
3 Click Yes on the Security Warning window.
To change the Internet Explorer security settings to always allow active content:
IE browser>>Tools>>Internet Options>>Advanced tab
Figure 2-4 IE Internet Options, Advanced Tab
novdocx (en) 24 March 2009
1 In the Internet Options pop-up window, scroll down to the security section.
2 Select the Allow active content to run in files on my computer check
box.
3 Click OK.
2.2.3 Minimum Font Size
In order to properly display the Novell ZENworks Network Access Control user interface, do not
specify the minimum font size.
1 Select None in the Minimum font size drop-down list.
2 Select the Allow pages to choose their own fonts, instead of my
selections above check box.
3 Click OK.
4 Close the Content window.
2.2.4 Page Caching
To set the Internet Explorer page caching options:
Internet Explorer browser>>Tools>>Internet Options
1 Select the General tab
2 Click Settings.
3 In the Check for new versions of stored pages area, select the
Automatically radio button.
4 Click OK.
5 In the Internet Options dialog box, click the Advanced tab.
6 Scroll down to the Security area. Clear the Do not save encrypted pages to
disk check box.
7 Click OK.
System Requirements27
To set the Mozilla page caching options:
Mozilla browser>>Edit>>Preferences
1 Click the plus (+) symbol next to Advanced to expand the topic.
2 Select Cache.
3 In the Compare the page in the cache to the page on the network area,
select the Every time I view the page radio button.
4 Click OK.
2.2.5 Temporary Files
Periodically delete temporary files from your system to improve browser performance.
To delete temporary files in Internet Explorer:
Internet Explorer>>Tools>>Internet Options>>General tab
1 Click Delete Files.
2 Select the Delete all offline content check box.
novdocx (en) 24 March 2009
3 Click OK.
4 Click OK.
To delete temporary files in Mozilla:
Mozilla browser>>Edit>>Preferences
1 Select the plus (+) symbol next to Advanced to expand the topic.
2 Select Cache.
3 Click Clear Cache.
To delete temporary files in Windows or Linux Firefox:
Firefox browser>>Tools>>Options>>Privacy
1 In the Private Data area, click Settings. The Clear Private Data window
appears.
2 Select the Cache check box.
3 Click OK.
4 Click Clear Now.
5 Click OK.
To delete temporary files in Mac Firefox:
Firefox menu>>Preferences>>Privacy
1 In the Private Data area, click Settings. The Clear Private Data window
appears.
2 Select the Cache check box.
28Novell ZENworks Network Access Control Installation Guide
3 Click OK.
4 Click Clear Now.
5 Close the Privacy window.
novdocx (en) 24 March 2009
System Requirements29
novdocx (en) 24 March 2009
30Novell ZENworks Network Access Control Installation Guide
3
Installing Novell ZENworks
novdocx (en) 24 March 2009
Network Access Control
You have one installation option:
Install Novell
“Installing Novell ZENworks Network Access Control for the First Time,” on page 31)
3.1 Installing Novell ZENworks Network Access
Control for the First Time
For first-time installations, use the install CD. Create an install CD from an International
Organization for Standardization (ISO) image downloaded from the Novell Web site, or request one
from Novell. The installation process loads both the Novell ZENworks Network Access Control
application and the custom, hardened operating system (OS) on which Novell ZENworks Network
Access Control runs.
TIP: If you already have a CD, skip to Section 3.1.2, “Creating the Installation CD from the Novell
ZENworks Network Access Control Download,” on page 32.
This section covers the following tasks:
®
ZENworks® Network Access Control for the first time (see Section 3.1,
3
Section 3.1.1, “Downloading the New Install ISO Image,” on page 31
Section 3.1.2, “Creating the Installation CD from the Novell ZENworks Network Access
After you download the ISO image, create a CD (see Section 3.1.2, “Creating the Installation CD
from the Novell ZENworks Network Access Control Download,” on page 32Section 3.1.3,
“Installing Novell ZENworks Network Access Control,” on page 33), and then perform the
installation from the CD (see Section 3.1.3, “Installing Novell ZENworks Network Access Control,”
on page 33).
To download the new install ISO using Internet Explorer:
Internet Explorer (IE) or other browser
1 Locate a computer that has a browser installed and is connected to the Internet.
2 Open a browser window and open the Novell Downloads page (http://download.novell.com).
The approximate file size is 450 MB.
3 A pop-up window appears with instructions about saving the file, click Save.
Installing Novell ZENworks Network Access Control
31
4 A pop-up window appears instructing you to select a directory in which to save the file.
Navigate to a location that you will remember when it is time to create the install CD. Click
Save.
5 The download window appears, showing the status of the download process. This download
can take a lot of time, depending on your connection speed.
6 After you download the file (ISO image), you need to create a CD (see Section 3.1.2, “Creating
the Installation CD from the Novell ZENworks Network Access Control Download,” on
page 32), and then you can use that CD to install the Novell ZENworks Network Access
Control software (see Section 3.1.3, “Installing Novell ZENworks Network Access Control,”
on page 33).
NOTE: Downloading an ISO image file and creating an installation CD is not the same process as
just copying a file to a CD.
3.1.2 Creating the Installation CD from the Novell ZENworks
Network Access Control Download
novdocx (en) 24 March 2009
TIP: If you already have a Novell ZENworks Network Access Control installation CD, go to
You must have a CD to install Novell ZENworks Network Access Control. This section describes
how to create one from the downloaded ISO image.
To create the Novell ZENworks Network Access Control installation CD:
1 For Windows:
1a Most current CD-burning software supports creating CDs from ISO images. Open the ISO
file with your CD-burning software. If it recognizes the ISO file, proceed with the CDburning process.
or
1b Right-click on the ISO file and choose Open with>>Choose program and select your CD-
burning software. After your CD program launches, create the CD using the typical
procedures.
TIP: A Free CD-burning application you can try is CDBurnerXP Pro (http://
www.cdburnerxp.se).
2 For Linux:
Most Linux systems include the cdrecord command; however, cdrecord syntax varies
depending on the specific distribution. Consult your documentation for the correct syntax for
your version.
For example:
cdrecord -v speed=8 dev=0,0,0 /tmp/imagefile.iso
Where 8 is the speed of your burner, and /tmp/imagefile.iso is the path and file name
of the ISO file you wish to copy.
32Novell ZENworks Network Access Control Installation Guide
3.1.3 Installing Novell ZENworks Network Access Control
When you install the Novell ZENworks Network Access Control software for the first time, you
need to put the Novell ZENworks Network Access Control CD directly into the computer that will
be the Novell ZENworks Network Access Control server (MS or ES). You cannot install any other
software on this computer. Installing the Novell ZENworks Network Access Control software also
installs the operating system (OS) that Novell ZENworks Network Access Control uses. This OS is
hardened making it very secure.
IMPORTANT: Installing third-party software on the Novell ZENworks Network Access Control
server is not supported. If you install additional software on the Novell ZENworks Network Access
Control server, you will have to remove it in order to troubleshoot any Novell ZENworks Network
Access Control issues, and it will likely be partially or fully overwritten during Novell ZENworks
Network Access Control release upgrades or patch installs, compromising the third-party software
functionality. Additionally, installing third-party software and/or modifying the Novell ZENworks
Network Access Control software may violate your license agreement. Please refer to the Novell
EULA, which can be found in the Novell ZENworks Network Access Control Users Guide.
There are two scenarios for Novell ZENworks Network Access Control installation:
novdocx (en) 24 March 2009
Single-server installation — Install Novell ZENworks Network Access Control as a single-
server installation, where the MS and the ES are both on the same server. The ES is
automatically joined to an Enforcement cluster. The high availability (HA) and load balancing
(LB) functions are not available with this installation option.
Multiple-server installation — Install Novell ZENworks Network Access Control as a
multiple-server installation where the MS and the ES or ESs are on different servers. One or
more ESs are joined to a specified Enforcement cluster in the user interface. You must have two
or more ESs joined to an Enforcement cluster for HA or LB functionality.
After you install Novell ZENworks Network Access Control, you need to use a computer (other than
the MS or ES) with a browser for configuration and daily operation tasks.
See the Novell ZENworks Network Access Control Users Guide for more information on HA and
LB.
To install Novell ZENworks Network Access Control:
1 Locate and verify the server hardware (see “Locating and Verifying Server Hardware” on
page 34).
2 Locate the information required during the install process (see “Information Required During
Installation” on page 35).
3 Install the software:
3a Install single-server MS/ES software (see “Creating a Single-server Installation” on
page 36), or
3b Install multiple-server MS software and ES software (see “Creating a Multiple-server
Installation” on page 42)
4 Log in to the Novell ZENworks Network Access Control MS.
5a Create clusters (see “Creating an Enforcement Cluster” on page 46).
5b Add enforcement servers to defined clusters (see“Adding an ES to a Cluster” on page 50)
6 Configure Novell ZENworks Network Access Control (see the Novell ZENworks Network
Access Control v5.0 Users Guide).
Locating and Verifying Server Hardware
To verify the server requirements:
1 Locate the computer you will be using for the Novell ZENworks Network Access Control
server.
2 Verify that this computer has the following:
2a Processor — Pentium 4
Linux — To list CPU-related information to the screen on a Linux computer, enter
the following at the command line:
novdocx (en) 24 March 2009
cat /proc/cpuinfo | more
Press the space bar to page down through the listed information
Windows — From the desktop, right click on My Computer and select
Properties. Select the General tab.
2b Processor speed — 2 GHz (or greater).
Linux — To list CPU-related information to the screen on a Linux computer, enter
the following at the command line:
cat /proc/cpuinfo | more
Press the space bar to page down through the listed information.
Windows — From the desktop, right click on My Computer and select
Properties. Select the General tab.
2c Memory — 1 GB RAM
Linux — To list memory-related information to the screen on a Linux computer,
enter the following at the command line:
dmesg | grep Memory
The number returned to the right of the / is the total memory.
Windows — From the desktop, right click on My Computer and select
Properties. Select the General tab.
2d Disk space — 36 GB(or greater)
Linux — To list disk-related information to the screen on a Linux computer, enter
the following at the command line:
For IDE drives:
fdisk -l /dev/hda | more
For SCSI drives:
fdisk -l /dev/sda | more
34Novell ZENworks Network Access Control Installation Guide
Press the space bar to page down through the listed information. If you don’t know
the drive type, just pick one of the above commands and enter it. If you don’t have
that type of drive, nothing will be returned.
Windows — From the desktop, double-click on My Computer.
2e Ethernet cards — You must know the quarantine (deployment) method you are going to
use when setting up your network, as each method has the following specific Ethernet card
requirements:
Single-server installation — When the MS and ES are installed on the same server, you
need two Ethernet cards.
Multiple-server installation — When the MS and ES are installed on multiple servers,
you need one Ethernet card on the MS, and the following number of Ethernet cards for
each ES:
Inline — You need two Ethernet cards on each ES
DHCP — You need two Ethernet cards on each ES
802.1x — You need one Ethernet card on each ES
Linux – To list Ethernet card information to the screen on a Linux computer, enter
the following at the command line:
novdocx (en) 24 March 2009
ifconfig
Windows – To list Ethernet card information to a DOS (cmd) window on a Windows
computer, enter the following at the command line:
ipconfig
2f CDROM drive — This drive can be a read-only drive and is used for first-time
installation.
NOTE: For more information about deployment options, see Chapter 1, “Deployment Flexibility,”
on page 9.
IMPORTANT: Make sure that your Ethernet cards are 10/100/1000 (Intel) server-class NICs.
Inferior class network cards do not work at all, or work intermittently. You can get the best results
from the Intel PRO-series NICs.
Information Required During Installation
You will be asked for the following information during the installation process (use the Appendix A,
“Installation and Configuration Check List,” on page 55 for easy reference):
Static IP address — The IP address for each server you will use (both MS and ESs). For
example: 10.0.16.180. You must have a static (always the same) (not dynamic—can be
different every time) IP address to use for each server.
Netmask (Network mask) — A number that tells how much of the IP address is reserved for
the network (255) and how much is reserved for the host (0). This must be defined when
servers create subnetworks as part of the installation process. For example: 255.255.0.0.
Default gateway IP address — The IP address of your Internet connection—the IP address of
the network endpoint that knows how to route packets outside of your local network. For
example 10.0.16.1.
NOTE: Your system may require a different gateway. Check with your network administrator
if you have problems or are unsure of which gateway IP address to use.
Primary nameserver IP address (DNS server) — The IP address of the server that you use to
convert hostnames to IP addresses. For example: 204.74.112.1.
To find the current DNS server:
Linux — Look in the /etc/resolv.conf file for the nameserver entry.
Windows — Enter ipconfig /all at the command line
If you use secondary and tertiary nameservers, you will be asked for those IP addresses as well.
Novell ZENworks Network Access Control hostname — The names you give your Novell
ZENworks Network Access Control servers (MS and ESs). Select names that are short, easy to
remember, have no spaces or underscores, and the first and last character cannot be a dash (-).
novdocx (en) 24 March 2009
NOTE: The Novell ZENworks Network Access Control hostnames must be the fully qualified
domain names (FQDN). The FQDN includes the host and the domain name—including the
top-level domain. For example, waldo.mycompany.com.
Time zone — The time zones where your Novell ZENworks Network Access Control servers
are located. The time zones must be specified for each MS and each ES.
Novell ZENworks Network Access Control server root password — The passwords you
give to your Novell ZENworks Network Access Control servers (MS and ESs) when logging in
as the root user. Note: This is not the Novell ZENworks Network Access Control user
interface administrator password.
Installation type — The type is either MS or ES for multiple-server installations, or Both for
single-server installations.
NTP server IP — The IP address you use for your Network Time Protocol (NTP) server
Creating a Single-server Installation
To install the MS and ES on a single server:
1 Locate the server you are using for the Novell ZENworks Network Access Control installation.
2 Insert the Novell ZENworks Network Access Control CD into the dedicated server and reboot
(for example by pressing [Ctrl]+[Alt]+[Delete] or an appropriate method of reboot). Once the
server reboots, the boot prompt screen appears (Figure 3-1 on page 37).
WARNING: The Novell ZENworks Network Access Control installation CD automatically
reformats the hard drive on the host machine, erasing all existing data. Do not continue if you
need any information that is stored on the hard drive! To abort the installation, press
[Ctrl]+[Alt]+[Delete].
TIP: If the dedicated server is not configured to boot from the CD drive, edit the basic input/
output system (BIOS) options as described in your server’s documentation.
36Novell ZENworks Network Access Control Installation Guide
Figure 3-1 Install Screen, Boot Prompt
novdocx (en) 24 March 2009
3 At the boot prompt, type one of the following:
install — This is the default option that works on most systems.
noacpi — If your system hangs shortly after install is entered, use this option which
disables the [Advanced Configuration and Power Interface (ACPI)] allowing the Novell
ZENworks Network Access Control system to use the chroot command.
nodma — If your system (such as some Compaq/HP systems) has problems using [Direct
Memory Access (DMA)] to chip memory, this option disables DMA for the IDE
subsystem.
noapic — If your system BIOS has an upgrade to fix the Advanced Programmable
Interrupt Controller (APIC)] and the system continues to hang shortly after install is
entered, use this option which disables the APIC. This tells the kernel to not make use of
any IOAPICs that may be present in the system.
withoptions — If your system has problems not listed above, use this option to
specify that No additional kernel parameters are passed to the kernel to allow greater
flexibility.
5 On the Installation Confirmation screen, type install and select OK. The Network
Configuration for eth0 screen appears.
TIP: Use the [Tab], [spacebar], and [Enter] keys to navigate between fields and make
selections on the install screens.
6 On the Network Configuration for eth0 screen, enter the IP address of the Novell
ZENworks Network Access Control MS/ES installation, as shown in Figure 3-3 on page 38.
The Netmask value is prepopulated; edit the Netmask value if necessary.
TIP: You must use static IP addresses for Novell ZENworks Network Access Control servers.
Novell ZENworks Network Access Control servers cannot receive DHCP IP addresses.
Figure 3-3 Install Screen, Network Configuration for eth0
38Novell ZENworks Network Access Control Installation Guide
7 Select OK. The Miscellaneous Network Settings screen appears:
10 On the Time Zone Selection screen, select the time zone. Select OK. The Root
Password screen appears:
novdocx (en) 24 March 2009
TIP: Make sure that you select a root password that is easy for you to remember but difficult
for others to guess.
Figure 3-7 Install Screen, Root Password
40Novell ZENworks Network Access Control Installation Guide
11 On the Root Password screen, enter a root password for the Novell ZENworks Network
Access Control server. Enter a secure password that you can remember, and retype the
password to confirm it. Select OK. The Novell Novell ZENworks Network Access Control installation type screen appears:
Figure 3-8 Install Screen, Installation Type
novdocx (en) 24 March 2009
12 On the Novell Novell ZENworks Network Access Control installation
type screen, select Both.
13 Select OK. The Installation progress screen appears (Figure 3-9 on page 41).
Figure 3-9 Install Screen, Installation Progress
14 Wait. Installation can take a few minutes.
15 When installation is complete, remove the CD.
TIP: If the server reboots before you remove the CD, the boot prompt appears again. Remove
the CD and reboot the server to start Novell ZENworks Network Access Control.
16 The server reboots and starts Novell ZENworks Network Access Control.
17 Log in to the Novell ZENworks Network Access Control server and perform the initial
configuration as described in “Initial Configuration” on page 42.
Creating a Multiple-server Installation
To install the MS and ES on different servers:
1 Install the MS software:
1a Perform the steps described in “Creating a Single-server Installation” on page 36: Step 1
on page 36 through Step 11 on page 41. The Novell Novell ZENworks Network
Access Control installation type screen appears (Figure 3-8 on page 41).
1b Select Management server.
1c Select ok. The Installation progress screen appears (Figure 3-9 on page 41).
1d Wait. Installation can take a few minutes.
1e When installation is complete, remove the CD.
novdocx (en) 24 March 2009
TIP: If the server reboots before you remove the CD, the boot prompt appears again.
Remove the CD and reboot the server to start Novell ZENworks Network Access Control.
1f The server reboots and starts Novell ZENworks Network Access Control.
2 Install the ES software:
2a Perform the steps described in “Creating a Single-server Installation” on page 36: Step 1
on page 36 through Step 11 on page 41. The Novell Novell ZENworks Network
Access Control installation type screen appears (Figure 3-8 on page 41).
2b Select Enforcement server.
2c Select ok. The Installation progress screen appears (Figure 3-9 on page 41).
2d Wait. Installation can take a few minutes.
2e When installation is complete, remove the CD.
TIP: If the server reboots before you remove the CD, the boot prompt appears again.
Remove the CD and reboot the server to start Novell ZENworks Network Access Control.
2f The server reboots and starts Novell ZENworks Network Access Control.
3 Add as many ESs as your system requires.
4 Go to “Initial Configuration” on page 42.
Initial Configuration
NOTE: If you already have endpoints attached to a switch when you install Novell ZENworks
Network Access Control, you must log in to each switch and send the NAC revalidate command
before the endpoint can be tested and routed properly.
42Novell ZENworks Network Access Control Installation Guide
To configure the Novell ZENworks Network Access Control MS/ES:
1 Log into a different computer with browser software installed. The following browsers are
supported for this release:
Windows: IE 6.0 or later, Mozilla Firefox v1.5 or later, Mozilla v1.7
Linux: Mozilla Firefox v1.5 or later, Mozilla v1.7
Mac OS X: Mozilla Firefox v1.5 or later
2 Using https://, point your browser to the IP address or host name of the Novell ZENworks
Network Access Control server (for example, https://10.0.64.25).
3 You might be prompted with a security alert because Novell ZENworks Network Access
Control uses a secure communication connection (SSL) (Figure 3-10 on page 43). Click Yes.
The Accept license agreement window appears (Figure 3-10 on page 43).
4a If you do not wish to accept the license agreement, click I do not accept this
license agreement, or
4b Read the Novell ZENworks Network Access Control End-User License Agreement
(EULA) and select I Accept this license agreement.
4c Click Next. The Enter management server settings window appears.
Figure 3-12 Enter Management Server Settings Window
novdocx (en) 24 March 2009
5 The Date and time area is prepopulated with values entered during the initial installation
process. Change any of the following if necessary:
Region — Select a region from the drop-down list.
Time zone — Select a time zone from the drop-down list.
NTP servers — Enter one or more Network Time Protocol (NTP) servers, separated by
commas. The NTP protocol allows Novell ZENworks Network Access Control to
synchronize its date and time with other endpoints on your network. For example,
time.nist.gov.
6 The Network settings area is prepopulated with values entered during the initial installation
process. Change any of the following if necessary:
Host name — Enter a Fully Qualified Domain Name (FQDN). For example,
crocus.mycompany.com.
DNS IP address — Enter one or more DNS resolver IP addresses, separated by commas,
semicolons, or spaces. For example, 10.0.16.100,10.0.1.1.
44Novell ZENworks Network Access Control Installation Guide
7 If you use a proxy server, configure it as follows:
7a Select the Use a proxy server for Internet connections check box.
Connecting to the Internet is necessary for updating tests, validating license keys, and
sending support packages.
7b Enter the IP address of the server that will act as the proxy for Internet connections in the
Proxy server IP address text box.
7c Enter the port used for connecting to the proxy server in the Proxy server port text
box. For example, 8080.
7d If your proxy server is authenticated, select the Proxy server is
authenticated check box and enter the following:
1. Select the scheme used to authenticate credentials on the proxy server from the
Authentication method drop-down list. The following methods are supported:
Basic — The original and most compatible authentication scheme for HTTP. It is
also the least secure because it sends the user ID and password to the server
unencrypted.
Digest — Added in the HTTP 1.1 protocol, this scheme is significantly more secure
than basic authentication because it never transfers the actual password across the
network, but instead uses it to encrypt a nonce value sent from the server.
novdocx (en) 24 March 2009
Negotiable — Using this scheme, the client and the proxy server negotiate a scheme
for authentication. Ultimately, either the basic or digest scheme will be used.
2. Enter the ID of a user account on the proxy server in the User name text box.
3. Enter the password of the user account having the ID specified in User ID in the
Password text box.
4. To help confirm accuracy, type the same password you entered into the Password
text box in the Re-enter password text box.
8 Click Next. The Enter license key window appears.
Figure 3-13 Enter License Key Window
9 On the Enter license key window, in the License key field copy and paste your
Novell ZENworks Network Access Control license key, which was emailed to you as a text
file. Click Next. The Create administrator account window appears.
NOTE: An internet connection is required to register/activate the license. The license key is
registered to the server once the activation is complete and cannot be moved to another
machine without first contacting Novell Support (http://www.novell.com/support).
TIP: The double-equal sign (==) is part of the license key. Include it with the rest of the key.
IMPORTANT: If you use a proxy server, your license key will not validate from this window
unless you have performed Step 7 on page 45.
Figure 3-14 Create Administrator Account Window
10 On the Create administrator account window, create the initial Novell ZENworks
Network Access Control administrator account. (This is not the same as the server’s root
account that you created in during installation.)
10a Enter a User ID and Password. We suggest the password be at least eight characters
with a mix of numbers and letters.
novdocx (en) 24 March 2009
10b Click Finish.
10c The final step of creating the single-server installation is to configure the default
Enforcement cluster. See the Novell ZENworks Network Access Control Users Guide for
instructions on editing Enforcement clusters.
TIP: In the case of a single-server installation, the MS and ES are on the same server and
the ES is automatically joined to a default Enforcement cluster. You can change the name
of the Enforcement cluster from the user interface. See the Novell ZENworks Network
Access Control Users Guide for instructions on editing Enforcement clusters.
Creating an Enforcement Cluster
When creating a multiple-server installation (the MS and ES are installed on different servers), you
must create the clusters before you join the ESs to the cluster.
To create (name) the Enforcement cluster:
1 Using https://, point your browser to the IP address or host name of the Novell ZENworks
Network Access Control server (for example, https://10.0.64.25).
46Novell ZENworks Network Access Control Installation Guide
2 Using the administrator User ID and Password you created in Step 10 on page 46, log in to
the Novell ZENworks Network Access Control user interface. The Novell ZENworks
Network Access Control Home window appears:
Figure 3-15 Novell ZENworks Network Access Control Home Window
novdocx (en) 24 March 2009
NOTE: The Novell ZENworks Network Access Control home window displays the System
configuration menu option only for users with administrator permissions. You will see different
menu options based on your permissions, which are defined as user roles.
3 Select System Configuration. The System configuration, Enforcement
clusters & servers window appears:
Figure 3-16 Enforcement Clusters & Servers
novdocx (en) 24 March 2009
48Novell ZENworks Network Access Control Installation Guide
4 Click Add an Enforcement cluster. The Add an Enforcement cluster
window appears, with the General menu option selected by default.
Figure 3-17 Add Enforcement Cluster Window
novdocx (en) 24 March 2009
5 In the Add Enforcement cluster window, General area, enter a name for the cluster
in the Cluster name field.
6 On the NAC policy set drop-down list, select Default.
7 Before Novell ZENworks Network Access Control is fully functional, you must select the
operating parameters for each cluster; however, you do not have to do this now. When you are
ready to configure the clusters, refer to the “Adding a cluster” section in the Novell ZENworks Network Access Control Users Guide.
8 Click ok to save the cluster and return to the System configuration window.
1 Click add an enforcement server. The Add enforcement server window
appears:
Figure 3-18 Add Enforcement Server Window
novdocx (en) 24 March 2009
2 Select the cluster name for this enforcement server from the Cluster drop-down list.
3 Enter the IP address of this enforcement server in the IP address text box.
4 The SSH user name must be for an account with sufficient privileges to install certificates.
Enter the user name in the SSH User name text box.
5 Enter the SSH password for the SSH username account on this enforcement server in the SSH
Password text box.
6 Re-enter the SSH password for the SSH username account on this enforcement server in the
Re-enter SSH Password text box.
50Novell ZENworks Network Access Control Installation Guide
7 Click ok to add the server. A progress window appears. It can take a minute or so to add the
server. The System configuration window appears showing the server joined to the
cluster:
Figure 3-19 System configuration, Enforcement Clusters & Servers Window
novdocx (en) 24 March 2009
8 Click ok to return to the Home window.
IMPORTANT: The MS must have the same version of software installed as the ES you are adding
or you will get an exception error. If you are upgrading an existing system, upgrade the MS, then
add new ESs. The upgrade process will automatically upgrade any existing ESs.
Disk space (36 GB (or greater)) *: ___________________________________________
Two (standard/802.1X) server-quality NIC cards (Intel) *: ________________________
CD-ROM drive *
Internet connection with outbound SSL communications *
NOTE: You must have access to the following:
For license validation and test updates:
http://nacupdate.novell.com port 443 *
For software and operating system updates:
http://nacdownload.novell.com port 80 *
Workstation running one of the following browsers with 128-bit encryption: *
Windows:
Mozilla Firefox 1.5 or later
Mozilla 1.7
Internet Explorer 6.0
Installation and Configuration Check List
55
Linux:
Mozilla Firefox 1.5 or later
Mozilla 1.7
Mac OS X:
Mozilla Firefox 1.5 or later
License key: * (cut and paste from the email you receive from Novell)
A.2 Installation Location
My office(s)
Server room(s)/Data center(s)
Test lab(s)
Production network(s)
I have access to the installation site(s)
I do not have access to the installation site(s)
novdocx (en) 24 March 2009
A.3 Installation Media
Required fields are indicated by a red asterisk (*).
One of the following: *
Install CD
(Request an install CD from Novell
ISO image.)
Upgrade link: (provided to Novell subscribers through email)
®
if you do not have experience creating a CD from an
A.4 IP Addresses, Hostname, Logins, and
Passwords
NOTE: This Installation and Configuration Checklist is a list of the items used in Novell
ZENworks
security best practice that you never write down passwords.
A.4.1 Single-server Installation
Required fields are indicated by a red asterisk (*).
The MS and ES are installed on the same physical server.
®
Network Access Control including passwords; however, Novell recommends as a
MS/ES IP address: * __________________________________________________________
MS/ES Netmask IP address (Network mask): * _____________________________________