Environment
Situation
Resolution
Browser access (IE only) to the ZDM Middle Tier server for access to plugins and NAL applications:
http(s)://
/myapps.html When accessing the Middle Tier server from an IE browser, plugins will be installed on the workstation and several registry keys will be created with information on how the plugins will connect to the Middle Tier server. The values created in these registry keys are determined by the "codebase†and "MiddleTierAddress†URL's as configured in file sys:/apache2/htdocs/myapps.html on the Middle Tier server (NetWare).
When using iChain to access the Middle Tier server these URL's may require rewriting. Be sure to verify that the values of these URL's in myapps.html specifies the correct protocol (http or https), port, and DNS name so that they match the Middle Tier accelerator's web server protocol, port, and Alternate Host Name. This will allow iChain's internal rewriter to modify the URL's appropriately for access through the accelerator.
Workstations with the full ZDM Agent installed for access to ZDM policies, NAL, etc. have registry keys which determine how the connection to the ZDM server is attempted. The values of these keys is determined during installation of the ZDM Agent, and optionally can be edited during the GINA login process if allowed. Only a DNS Name and port can be specified. Do not specify the protocol (http/https). If port 443 is entered, HTTPS is assumed. Any other port number will cause the connection to be attempted over HTTP.
When using iChain between the Agent and the ZDM server, specify the DNS Name and port configured on the public side of the accelerator. If Secure Exchange is enabled, specify port 443. If Secure Exchange is not enabled, specify the configured http port.
Known
issues:
100369499: The ZDM agent and plugins cannot be used through path-based multi-home accelerators.
ZDM agent and plugins assume port 443 is always HTTPS, all others HTTP.
Workstation imaging and Remote Wakeup is not supported through iChain.
Accelerator
configuration notes:
Typical accelerator options such as Secure Exchange (one or both sides of proxy), Alternate host name, domain-based and non multi-home can be used as appropriate. If Secure Exchange is enabled, only port 443 can be used as the "SSL listening portâ€.
Configure the accelerator for the Middle Tier and/or ZDM server to use an LDAP type authentication profile which has option "Allow authentication through NetIdentity†enabled. The "NetIdentity Realm†field is case-sensitive and should match the realm name used by the Middle Tier server (normally the treename, uppercase).
For the internal rewriter to properly rewrite the MiddleTierServer URL, the following entry in rewriter.cfg is required:
value
To successfully download the ZDM plugins through an accelerator with Secure Exchange enabled, accelerator option "Allow pages to be cached at the browser" must be enabled.
ZDM
configuration notes:
Edit the myapps.html file.The codebaseandMiddleTierAddress URL'sshould use the appropriate protocol (http or https), port, and DNS Name to match the Middle Tier accelerator's web server settings for protocol, Alt Host Name, and port. This match is necessary so that iChain rewriting can occur properly. Example below shows snippets from a modified myapps.html:
codebase="http://rle-1b.rle.st.novell.com:80/nls/English/ZfdInstallMgr.cab#Version=7,0,0,0".
http://rle-1b.rle.st.novell.com:80">
where:
- http is the protocol used by the accelerator between iChain and the Middle Tier server
-"rle-1b.rle.st.novell.com†is the Alternate host name configured on the accelerator
-80 is the http
port
If Secure Exchange was
enabled between iChain and the Middle Tier, the above URL's should
specify https:// and port 443.
Workstations must have the iChain accelerator's trusted root imported into IE's workstation store for trusted roots, not just the user's certificate store. Otherwise, the workstation login which occurs during the boot process and uses NetIdentity will fail.
SSO notes:
Use an LDAP
authentication profile with option "Allow authentication through
NetIdentity†enabled. The "NetIdentity Realm†name should match
(case-sensitive) the realm name used by Xtier on the Middle Tier
server (typically the eDir tree name).
Troubleshooting:
Browsing to myapps.html through iChain gives standard iChain login form instead of NetIdentity style login pop-up:
Probably a trusted root
problem. If registry setting
hklm/software/novell/client/policies/NetIdentity/Strict Trust is
set to 1 (enabled) or is not present (this is the default for the
NetIdentity plugin and is enabled), the IE browser must have the
trusted root certificate used by the iChain accelerator in its
trusted root store.
Unable to login to Middle Tier server (myapps.html doesn’t show username, not being prompted for login, NAL app’s not showing up, etc):
Check the registry
setting hklm/softwarew/novell/zenworks registry settings for
MiddleTierAddress and MiddleTierPort to verify correctness.
Incorrect values may mean iChain's rewriter is not working as
expected, usually due to configuration of the accelerator and/or
myapps.html URL values (no match in scheme/host/port of the
MiddleTierServer URL and the accelerator) or lack of the javascript"value†entry in rewriter.cfg as detailed elsewhere in this
document.
"Error: Plugin Install Error†when attaching to Middle Tier to install the Plugins:
- If Secure Exchange is enabled on the accelerator, make sure accelerator option "Allow pages to be cached at the browserâ€is enabled.
Not seeing "Connected†status after attaching to myapps.html with browser and plugins:
Make sure the CA of the
certificate used by the iChain accelerator is imported into the
browser's Trusted Root store.
Miscellaneous:
- Registry setting hklm/software/novell/client/policies/NetIdentity/Strict Trust is set to 0 (disabled) by default when installing the ZDM Agent which includes the NetIdentity client. If using only the ZDM Plugins for access to myapps.html, Strict Trust is left at the default of 1 (enabled).
- The following iChain features have been tested successfully with ZDM features such as NAL, User Policies, Group Policies, Extensible Policies, Workstation Policies and Management, etc:
- Proxy authentication with NetIdentity
- Secure Exchange (one and both sides of proxy)
- Alternate Host Name
- SSO (using NetIdentity)
- Domain-based multi-homing