Since the philosophy of Novell's ZENworks line of product is to reduce the cost while increasing the productivity of managing servers, workstations, and networks, it was only a matter of time before a clientless solution was introduced. ZENworks for Desktops 4 introduces new architecture that enables you to manage workstations that do not have the Novell client installed on them.
This allows you to use the ZENworks for Desktops management features to distribute applications, maintain hardware and software inventory, create images and remotely manage workstations that do not have a Novell client installed, whether they reside inside or outside of your corporate firewall.
ZENworks for Desktops 4 includes new components that allow for Web-based delivery of ZENworks services through a Web browser. This section discusses the components that allow the ZENworks workstation management tools to work without an installation of the Novell client on the workstation.
The ZENworks for Desktops Management agent is a small set of workstation applications that enable the workstation to be managed from a ZENworks for Desktops server. You can install the Management agent on a workstation that does not have the Novell client or on workstations that do have the Novell client. The agent provides full functionality regardless of whether the client is present. If the client is present, however, the Management agent may use some client features to provide additional access points (for example, no Middle Tier server specified). Additionally, if the client is present and for some reason cannot make connections to the services needed, the ZENworks for Desktop Management agent will automatically divert its requests through any specified Middle Tier Web server.
You can install the following Management agent components on a workstation:
• Application Management—Provides users with access to distributed desktop applications through the Novell Application Launcher (NAL).
• Workstation Manager—Allows administrators to configure and manage workstations through Novell eDirectory.
• Workstation Inventory—Collects hardware and software inventory information from scanned workstations, thus allowing administrators to track and manage what hardware and software is currently installed on managed workstations.
• Remote Management—Allows administrators to remotely manage workstations through a remote console.
• Workstation Imaging—Allows administrators to create an image of a workstation's hard drive and put it on other workstations over the network.
Corporate firewalls are simply combinations of hardware and software that restrict access to the internal corporate network from the rest of the Internet. This feat is accomplished by restricting access to certain addresses and ports.
The ZENworks for Desktops Middle Tier server is a NetWare or Windows 2000 server that has ZENworks agents installed in the SYS:XTIER directory on NetWare servers and <Windows Source Drive>:oneNet directory on Windows 2000 servers. These agents provide the NCP communication necessary to provide clientless authentication to the network as well as facilitate ZENworks for Desktop workstation management traffic to and from a clientless workstation. Clientless workstations attach through the DNS name or IP address of the Middle Tier server.
The ZENworks for Desktops Middle Tier server must have one of the following Web server engines running on it to provide the HTTP communication between the workstations' browser and the Middle Tier agents:
• NetWare 6—Apache HTTP Server (Shipping)
• NetWare 5.1—Apache HTTP Server (version 1.3.22)
• Windows 2000—Microsoft IIS Web Server (Shipping)
The ZENworks for Desktops server provides the final piece of the clientless workstation management model by providing NCP access between the administrator using the ZENworks for Desktops management tools and the Middle Tier server that is providing the HTTP communication to the clientless workstation. The ZENworks for Desktops server can treat the clientless workstation as any normal managed workstation and can distribute files to it, gather inventory data, and provide remote control sessions.
The ZENworks for Desktops management agent allows a clientless workstation to authenticate to the network by establishing an HTTP connection, at port 80 and port 443, to a ZENworks for Desktops Middle Tier server. The workstation can be inside or outside the corporate firewall.
When a workstation authenticates to a ZENworks for Desktops Middle Tier server, the Middle Tier server establishes an NCP connection to a ZENworks for Desktops server. The ZENworks for Desktops 4 server can be in the same eDirectory tree or a different tree; however, user licenses are only consumed in the eDirectory tree that the ZENworks for Desktops 4 server is installed in. The capability to connect through a Middle Tier server that does not belong to the same tree enables ZENworks to provide a much more secure and dynamic clientless access environment. It does this by separating the access point from corporate data and services.
Once a clientless workstation has authenticated to the network through a ZENworks for Desktops Middle Tier server, the ZENworks for Desktops policies and application distributions can use the HTTP to NCP series of connections to manage the workstation. In other words, NAL Application objects can be applied on the workstation, the workstation can be remotely managed, and inventory data can be collected from it.
This can be an extremely powerful tool for managing user workstations that must access the network through the corporate firewall.
For example, administrators can use the ZENworks for Desktops Management agent to manage corporate PCs that employees have at home because they work from a home office, or occasionally work from home. Corporate applications can be distributed to the home office workstation, the workstation can be remotely managed, and inventory can be tracked.
Another example of when this feature can be useful is with remote sales offices that reside outside the corporate firewall.
The ZENworks for Desktops Middle Tier server works mostly in the background to allow you to manage clientless workstations the same as you do workstations that have the Novell Client installed. Once it is installed and configured, there is not much maintenance involved. However, there are times when you'll need to interact with the Middle Tier server. The following sections discuss tasks such as logging into, viewing the status of, starting and stopping, and modifying settings for the Middle Tier server.
When you have installed the ZENworks for Desktops Management agent on a workstation that does not have a Novell Client installed, you can configure the Windows NT/2000/XP workstation to display the ZENworks Middle Tier Authentication dialog box on startup or when user authentication is requested. You can also specify whether users can change the ZENworks for Desktops Middle Tier server address.
If you have only one Middle Tier server or if you have restricted access through the ZENworks for Desktops Middle Tier server, you should not allow users to change the Middle Tier server address. This allows you to control which users access the network through a specific server.
However, if you have several Middle Tier servers and are less restrictive about which server your users can authenticate through, allowing users to change the address of the ZENworks for Desktops Middle Tier server will make accessing the network easier. Consider this option if users might need to access different Middle Tier servers to gain access to different resources on the Internet.
Logging into the network using the Middle Tier login page works the same as the Novell Client login page. The users must enter their network user IDs and passwords. Once users click OK, they will be authenticated to the network.
You can also use a pass-through method to authenticate to the network by disabling the login page when you install the ZENworks for Desktops agent. This allows you to use only the workstation login page to authenticate to the network as long as the user ID and passwords are synchronized between the local workstation and the network. If the passwords are not synchronized, a second login prompt will appear after the user enters their ID and password to log in to the local machine.
Once you have installed and configured the ZENworks for Desktops Middle Tier server, you can view the current request statistics at any time. This allows you to determine whether the Middle Tier server is currently up, view the number of current requests and sessions, see the bytes read and written, and view any failures that have occurred while clientless workstations tried to authenticate.
If the ZENworks for Desktops Middle Tier server is running, you can access the statistics page, shown in Figure 4.2, by accessing following Web page:
Figure 4.2. xtier-stats XML page for a ZENworks for Desktops Middle Tier server in Internet Explorer.
http://Server_DNS_or_IP/oneNet/xtier-stats
In addition to viewing the statistics for the ZENworks for Desktops Middle Tier server, you might also want to look at the currently active sessions through the xtier-session page. This page allows you to see the DN, session ID, number of requests, session timeout setting, login time, and last request time of all sessions that are currently active on the Middle Tier server. You can use the xtier-session page to monitor access as well as troubleshoot session problems on the Middle Tier server.
Running xtier-session will show only your session, whereas an administrator can see all sessions with the xtier-sessions command.
If the ZENworks for Desktops Middle Tier server is running, you can access the xtier-session page, shown in Figure 4.3, by accessing following Web page:
Figure 4.3. xtier-session XML page for a ZENworks for Desktops Middle Tier server in Internet Explorer.
http://Server_DNS_or_IP/oneNet/xtier-sessions
Another page that you might find useful when managing the ZENworks for Desktops Middle Tier server is the xtier-ncplstats page. This page allows you to see statistical information about modules that are currently active on the Middle Tier server. This information can be useful when you are troubleshooting issues across the Middle Tier server. For example, if you are troubleshooting the process of importing workstations across the Middle Tier server, you can look at the module information about the ZEN-XWSIMPORT module to see whether threads are running and events are being seen (to determine whether the Middle Tier server is receiving import data from the clientless workstation).
If the ZENworks for Desktops Middle Tier server is running, you can access the xtier-ncplstats page, shown in the Figure 4.4, by accessing following Web page:
Figure 4.4. xtier-ncplstats XML page for a ZENworks for Desktops Middle Tier server in Internet Explorer.
http://Server_DNS_or_IP/oneNet/xtier-sessions
You might need to stop the Middle Tier server at times to inhibit users from authenticating though it or to perform maintenance on the server. When the Middle Tier server is stopped, users cannot authenticate to the network through it and you cannot manage workstations through it.
You can execute the following commands at the NetWare console of the server where you installed the ZENworks for Desktops Middle Tier server:
• nvxadmdn—Executes the NVXADMDN.NCF script that halts the ZENworks for Desktops Middle Tier server.
• nvxadmup—Executes the NVXADMUP.NCF script that restarts the ZENworks for Desktops Middle Tier server after it has been halted.
On Windows 2000, go to the Internet Services Manager and click on the properties of your Web site. Then, from the ISAPI Filter tab, you can disable and enable the oneNet filter.
User sessions that have been established through the ZENworks for Desktops Middle Tier server will time out after 10 minutes of inactivity by default. Once that threshold has been reach and the session has timed out, users are required to re-authenticate when they attempt to access the session.
You can increase the session timeout threshold if you have users that access the network through a Middle Tier server. You can use the NSADMIN utility located at the following Web address to increase or decrease the default timeout:
http://middle_tier_server_IP_address_or_DNS_name/oneNet/nsadmin
When you enter this address in your Web browser, you are asked to authenticate to the utility using your network user ID and password. Once you have authenticated to the NSADMIN utility, you will see the General settings page by default. You can also access the General settings page by selecting Manage Xtier, General.
To increase the session timeout, you need to increase the value of the Session Timeout field on the General settings page, shown in Figure 4.5. The Session Timeout specifies the session length in seconds using hexadecimal notation. The default value is 0x258 (decimal 600, which is 10 minutes). You can increase this value to allow users a greater amount of inactivity time before the session is timed out.
