Product Interoperability: ZENworks Desktop Management 7 and Novell iChain

  • 3277158
  • 12-Sep-2006
  • 30-Apr-2012

Environment

Novell iChain 2.3
Novell ZENworks Desktop Management 7 - ZDM7
Novell ZENworks Desktop Management 7 - ZDM7 Management Agent
Novell ZENworks Desktop Management 7 - ZDM7 Management Agent + Client
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 2

Situation

Can iChain and ZENworks be used on the same workstation?
Configuring the workstation to have seamless login with ZENworks, iChain and NetIdentity.

Resolution

Access URL’s:
  • Browser access (IE only) to the ZDM Middle Tier server for access to plugins and NAL applications:

    http(s):///myapps.html

    When accessing the Middle Tier server from an IE browser, plugins will be installed on the workstation and several registry keys will be created with information on how the plugins will connect to the Middle Tier server. The values created in these registry keys are determined by the "codebase” and "MiddleTierAddress” URL's as configured in file sys:/apache2/htdocs/myapps.html on the Middle Tier server (NetWare).

    When using iChain to access the Middle Tier server these URL's may require rewriting. Be sure to verify that the values of these URL's in myapps.html specifies the correct protocol (http or https), port, and DNS name so that they match the Middle Tier accelerator's web server protocol, port, and Alternate Host Name. This will allow iChain's internal rewriter to modify the URL's appropriately for access through the accelerator.

  • Workstations with the full ZDM Agent installed for access to ZDM policies, NAL, etc. have registry keys which determine how the connection to the ZDM server is attempted. The values of these keys is determined during installation of the ZDM Agent, and optionally can be edited during the GINA login process if allowed. Only a DNS Name and port can be specified. Do not specify the protocol (http/https). If port 443 is entered, HTTPS is assumed. Any other port number will cause the connection to be attempted over HTTP.

    When using iChain between the Agent and the ZDM server, specify the DNS Name and port configured on the public side of the accelerator. If Secure Exchange is enabled, specify port 443. If Secure Exchange is not enabled, specify the configured http port.

Known issues:

  • 100369499: The ZDM agent and plugins cannot be used through path-based multi-home accelerators.

  • ZDM agent and plugins assume port 443 is always HTTPS, all others HTTP.

  • Workstation imaging and Remote Wakeup is not supported through iChain.

Accelerator configuration notes:

  • Typical accelerator options such as Secure Exchange (one or both sides of proxy), Alternate host name, domain-based and non multi-home can be used as appropriate. If Secure Exchange is enabled, only port 443 can be used as the "SSL listening port”.

  • Configure the accelerator for the Middle Tier and/or ZDM server to use an LDAP type authentication profile which has option "Allow authentication through NetIdentity” enabled. The "NetIdentity Realm” field is case-sensitive and should match the realm name used by the Middle Tier server (normally the treename, uppercase).

  • For the internal rewriter to properly rewrite the MiddleTierServer URL, the following entry in rewriter.cfg is required:

[Javascript Variables]
value
  • To successfully download the ZDM plugins through an accelerator with Secure Exchange enabled, accelerator option "Allow pages to be cached at the browser" must be enabled.

ZDM configuration notes:

  • Edit the myapps.html file.The codebaseandMiddleTierAddress URL'sshould use the appropriate protocol (http or https), port, and DNS Name to match the Middle Tier accelerator's web server settings for protocol, Alt Host Name, and port. This match is necessary so that iChain rewriting can occur properly. Example below shows snippets from a modified myapps.html:

codebase="http://rle-1b.rle.st.novell.com:80/nls/English/ZfdInstallMgr.cab#Version=7,0,0,0".

http://rle-1b.rle.st.novell.com:80">

where:

- http is the protocol used by the accelerator between iChain and the Middle Tier server

-"rle-1b.rle.st.novell.com” is the Alternate host name configured on the accelerator

-80 is the http port

If Secure Exchange was enabled between iChain and the Middle Tier, the above URL's should specify https:// and port 443.

  • Workstations must have the iChain accelerator's trusted root imported into IE's workstation store for trusted roots, not just the user's certificate store. Otherwise, the workstation login which occurs during the boot process and uses NetIdentity will fail.

SSO notes:

Use an LDAP authentication profile with option "Allow authentication through NetIdentity” enabled. The "NetIdentity Realm” name should match (case-sensitive) the realm name used by Xtier on the Middle Tier server (typically the eDir tree name).

Troubleshooting:

  • Browsing to myapps.html through iChain gives standard iChain login form instead of NetIdentity style login pop-up:

Probably a trusted root problem. If registry setting hklm/software/novell/client/policies/NetIdentity/Strict Trust is set to 1 (enabled) or is not present (this is the default for the NetIdentity plugin and is enabled), the IE browser must have the trusted root certificate used by the iChain accelerator in its trusted root store.

  • Unable to login to Middle Tier server (myapps.html doesn’t show username, not being prompted for login, NAL app’s not showing up, etc):

Check the registry setting hklm/softwarew/novell/zenworks registry settings for MiddleTierAddress and MiddleTierPort to verify correctness. Incorrect values may mean iChain's rewriter is not working as expected, usually due to configuration of the accelerator and/or myapps.html URL values (no match in scheme/host/port of the MiddleTierServer URL and the accelerator) or lack of the javascript"value” entry in rewriter.cfg as detailed elsewhere in this document.

  • "Error: Plugin Install Error” when attaching to Middle Tier to install the Plugins:

  • If Secure Exchange is enabled on the accelerator, make sure accelerator option "Allow pages to be cached at the browser”is enabled.
  • Not seeing "Connected” status after attaching to myapps.html with browser and plugins:

Make sure the CA of the certificate used by the iChain accelerator is imported into the browser's Trusted Root store.

Miscellaneous:

  • Registry setting hklm/software/novell/client/policies/NetIdentity/Strict Trust is set to 0 (disabled) by default when installing the ZDM Agent which includes the NetIdentity client. If using only the ZDM Plugins for access to myapps.html, Strict Trust is left at the default of 1 (enabled).
  • The following iChain features have been tested successfully with ZDM features such as NAL, User Policies, Group Policies, Extensible Policies, Workstation Policies and Management, etc:
  • Proxy authentication with NetIdentity
  • Secure Exchange (one and both sides of proxy)
  • Alternate Host Name
  • SSO (using NetIdentity)
  • Domain-based multi-homing

Additional Information

For ZDM 6.5 documentation see: TID3287432
For ZfD 4.01 documentation see: TID3016754