Product Interoperability: Novell ZENworks for Desktops 6.5 and Novell iChain

  • 3287432
  • 12-Sep-2006
  • 30-Apr-2012

Environment

Novell ZENworks for Desktops 6.5
Novell iChain 2.3
Novell iChain 2.3 SP1

Situation

Agent and Plugin port issues when iChain redirects or uses non-standard ports.

Workstation policies will not push via iChain when iChain authentication is enabled.

MiddleTierAddress registry setting with protocol causes connection failure, see TID 10092583.

Product Interoperability: Novell ZENworks for Desktops 6.5 and Novell iChain

Resolution

Novell iChain 2.2 Support Pack 2 and ZENworks 6.5 Desktop Management Interoperability
Novell ZENworks 6.5 Desktop Management and Novell iChain 2.2 Support Pack 2 (and earlier) are completely non-compatible, except through a tunnel.

Novell iChain 2.3 Support Pack 1 and ZENworks 6.5 Desktop Management Interoperability Testing Results
Novell ZENworks 6.5 Desktop Management was tested for compatibility with Novell iChain 2.3 SP1. The testing was conducted in a network environment where user workstations had only the ZENworks Desktop Management Agent installed, because the Novell Client (using NCP communication) does not not work through iChain (with the exception of configuring iChain 2.3 in non-secure settings).
Typical iChain configuration settings were tested in this environment, including Alt Host Name, Secure Exchange, Secure Fill, Authentication using NetIdentity, and with Realm names set the same and differently.

General Interoperability Test Findings
The following general interoperability facts were validated during the testing:

  • Workstation policies, Workstation Inventory, Remote Management, and other ZENworks components do not work with iChain 2.3 due to a non-compatible version of proxy.nlm. The proxy.nlm file included with iChain 2.3 Support Pack 1 (SP1) supports Workstation Management (policy distribution), Workstation Inventory, Application Management, and Remote Management. These components operate normally with iChain 2.3 SP1.
    iChain multi-homing features are not supported by ZENworks 6.5 Desktop Management.
  • If Secure Exchange between iChain and the workstation is enabled on the accelerator for the Middle Tier Server, you must use only port 443 for SSL (as specified in the MiddleTierAddress value in myapps.html and the accelerator’s configuration).
  • If Secure Exchange is enabled on the Middle Tier accelerator, make sure that you enable the accelerator option "Allow pages to be cached at the browser” or the users will be unable to download the ZENworks 6.5 Desktop Management myapps.html plug-ins. For more information, see TID10075939in the Novell Knowledgebase.
  • For successful authentication to iChain and the ZENworks Middle Tier Server, ZENworks 6.5 Desktop Management workstations must import the iChain Trusted Root Certificate and save it to the local workstation store. For more information, see "Setting Up Security Measures” in the ZENworks 6.5 Desktop Management Installation Guide.)
  • Mobile workstations connecting from both the public and private side of the iChain 2.3 SP1 server are typically required to change the Middle Tier DNS name and port address as they change locations. For ZENworks 6.5 Desktop Management plug-in configurations, this requires a manual registry change. When the full Desktop Management Agent is installed, the login GINA provides fields to modify these values.

Specific Interoperability Test Findings
Several specific interoperability facts were validated during testing are listed in the table below.

Functionality

Behavior

Authentication

  • NetIdentity can be used to provide Single Sign-Onto iChain and to the ZENworks 6.5 Middle Tier Server. NetIdentity must be enabled on the accelerator's authentication profile and the Realm Names must be identical.

  • Workstation authentication does not work with iChain 2.3. The proxy.nlm included in iChain 2.3 SP1 supports workstation authentication.

Automatic Workstation Import

  • Workstations import through iChain at the time of user authentication, which is the same as without iChain.

  • The zenwsimport DNS name must be configured in the hosts file on the Middle Tier Server with no other DNS server resolving the"zenwsimport” DNS name

User Policies

  • Dynamic Local Users (DLU) works same as it does without iChain.

  • Iprint policy works same as it does without iChain.

  • Extensible Policy works same as it does without iChain.

  • Group Policy works same as it does without iChain.

  • Password-Based Remote Management behaves as usual (that is, an additional port (1761) through the firewall must be open. When a Remote Management session is being established, some workstation to Middle Tier HTTP traffic occurs through iChain.

Workstation Policies

  • Agent policy works same as it does without iChain.

  • Iprint policy works same as it does without iChain.

  • Extensible Policy works same as it does without iChain.

  • Group Policy works same as it does without iChain.

  • Password-Based Remote Management behaves as usual (that is, an additional port (1761) through the firewall must be open. When a Remote Management session is being established, some workstation to Middle Tier HTTP traffic occurs through iChain.

  • Inventory policy works same as it does without iChain.

Novell Application Launcher Distributes Applications (Simple, AOT, AXT, MSI, Web) to Users

  • Users authenticate automatically.

  • "Work Online/Offline” toggle functions correctly.

  • Myapps.html access works but requires additional configuration. For more information, see Myapps.html notes below.)

  • Applications are distributed normally.

Novell Application Launcher Distributes Applications (Simple, AOT, AXT, MSI, Web) to Workstations

  • Workstation Helper authenticates automatically during login.

  • "Work Online/Offline” toggle functions correctly.

  • Myapps.html access works but requires additional configuration. For more information, see Myapps.html notes below.)

  • Applications are distributed normally.

Workstation Imaging

Not supported with an iChain 2.3 SP1 connection.

Remote Wake-On-LAN

Not supported with an iChain 2.3 SP1 connection.

Application Distribution through Myapps.html.

  • Before users can access the Middle Tier Server, you need to edit the URL values for "MiddleTierAddress” and the codebase for "ZfdWebInstallerOcx” in apache/nwdocs/myapps.html on the Middle Tier Server as necessary. (By default, these parameters are set to the Middle Tier Server’s local address, and hard-coded for HTTP port 80. The values configured in myapps.html become registry settings at the workstation after installing plug-ins.)

    When accessing the Middle Tier Server through iChain, the URLs configured in myapps.html are critical and can be especially problematic if not configured correctly.

  • Including an Internet protocol (that is,http://or https://) in the workstation's MiddleTierAddress registry prevents a workstation connection to the ZENworks 6.5 Middle Tier Server; yet, with no protocol specified, iChain cannot rewrite the URL reference for use by public-side workstations and connections will fail anyway.

    To avoid the connection problem, ZENworks 6.5 alters the MiddleTierAddress registry setting so that it does not include the protocol even if it is present in the URL sent from the Middle Tier server. This alteration, however, requires that you perform further configuration for iChain rewriting to occur. For more information, see "Configuring Myapps.html to Interoperate with iChain,” below.

.
Configuring Myapps.html to Interoperate with iChain
Including an Internet protocol (that is,
http://or https://) in the workstation's MiddleTierAddress registry prevents a workstation connection to the ZENworks 6.5 Middle Tier Server; yet, with no protocol specified, iChain cannot rewrite the URL reference for use by public-side workstations and connections will fail anyway.

To avoid the connection problem, ZENworks 6.5 alters the MiddleTierAddress registry setting so that it does not include the protocol even if it is present in the URL sent from the Middle Tier server. This alteration, however, requires that you perform further configuration for iChain rewriting to occur. Use the following steps:

1. Edit myapps.html and include the protocol in the MiddleTierAdress parameter. For example:

\

2. Make the following entry in iChain's rewriter configuration file (sys:/etc/proxy/rewriter.cfg):

[Javascript Variables]
value

Additional Information

Formerly known as TID# 10092443
For ZfD 4.01 documentation see: TID 3016754
For ZDM 7 documentation see: TID 3277158