Using ZfD over a VPN connection

  • 3355825
  • 08-Jun-2007
  • 30-Apr-2012

Environment

Novell ZENworks 6.5 Desktop Management - ZfD6.5 SP1a
Novell ZENworks for Desktops 4.0.1 - ZfD4.0.1 IR6
Novell ZENworks Automatic Workstation Import
Novell ZENworks Automatic Workstation Removal
Novell ZENworks Desktop Management
Novell ZENworks Remote Management
Novell ZENworks Management Agent
Novell ZENworks Management Agent + Client
Novell Application Launcher (NAL)
Novell ZENworks Inventory
Novell ZENworks Middle Tier

Situation

Using ZfD over a VPN connection

Resolution

This document outlines the various behaviors of ZENworks 6.5SP1a Desktop Management and ZENworks for Desktops 4.0.1 Interim Release 6 (and higher) when used in conjunction with a VPN scenario. Specifically, this document describes what is expected to occur when an end user logs in Workstation Only to a machine, NAL starts in disconnected mode, the end user establishes a VPN connection, and eventually logs into eDirectory as the workstation object and/or the user object (either via client32 or via the middle tier).

Note: Testing VPN functionality should be done from outside the firewall. Unexpected, unsupported behavior will occur if the workstation is inside the firewall when testing VPN.

Automatic Workstation Import

Client32 + Agent machines - If the Client32 setting "Workstation Manager Login Event" is set to On, then automatic import of workstations can occur as soon as the user authenticates to eDirectory. User-based import will also work at this point (ie, the naming or location of the workstation object is dependent on the user logging in).

Agent Only machines - Automatic import of workstations will not occur after eDirectory authentication occurs. A manual execution of zwsreg.exe after the user is authenticated will work.

Automatic Workstation Removal
As soon as Workstation Manager logs in as the workstation object (see Workstation associated Policies below), it will update its LastRegisteredTime attribute. This is the attribute that AWR looks at to determine if workstation objects should be deleted.

User associated Policies

Client32 + Agent machines - If the Client32 setting "Workstation Manager Login Event" is set to On, then as soon as the user authenticates to eDirectory, scheduled User policies will be retrieved and scheduled. Any User policies retrieved that are scheduled for the User Login event or the Desktop Active event are triggered at this point.

Agent Only machines - User policies will not be retrieved after eDirectory authentication occurs, unless Workstation Manager is refreshed. If refreshed (either manually or via the Refresh Rate), scheduled User policies will take affect assuming the user has logged into eDirectory through the middletier.

User associated applications

Within 30 seconds of the user establishing an eDirectory authentication (either via client32 or via the midtier), NAL will detect the connection change and cause a refresh. This refresh will result in NAL being in Online mode.

NOTE: NAL detects the connection change on client32 + agent machines by querying client32's Connection table. If this table has changed since the last time NAL checked it (up to 30 seconds ago), then a NAL refresh is triggered. On every NAL refresh, the connection state is re-determined and then NAL behaves accordingly.

Workstation associated Policies

When the Workstation Manager service starts, it tries to login as the workstation object every 15 seconds. These attempts will fail, until access to the eDirectory tree is established (either via client32 or via the midtier). Once an eDirectory connection is available (ie, VPN connection established), Workstation Manager will login as the workstation object and scheduled Workstation policies will be retrieved and scheduled. Any Workstation Policies that are scheduled for Scheduler System Startup are triggered at this point.

NOTE: If you do not see your policies being processed from the network upon workstation object login, it is usually because the policies will not be retrieved from the network until the default policy cache timeout of 5 minutes is reached. To alleviate this potential issue, turn off ZENPOL caching by setting the DWORD value ZENPOL CACHE REFRESH to 0 underneath HKLM\Software\Novell\ZENworks (or you could set it to a low value... the value represents the number of seconds that the policy cache (ZENPOL OBJECTS) in the registry stays alive. Once this time elapses, the cache is refreshed from the network the next time policies have to be retrieved).

NOTE: Policy cache is enabled by default to reduce the network traffic caused by reading policy package settings multiple times during the bootup / login sequence. Some may not want this increased traffic and may not want to turn off policy cache. If this is the case, then you should either set the cache to a low value or schedule your policies based on time and not event, ie 12:00am - 11:55pm.

TIP: To see if policies are coming down to the workstation, run WMSCHED.EXE to see which policies have shown up, and read the Last Run column to see when each policy was last executed.

Workstation associated Applications

As soon as Workstation Manager logs in as the workstation object (see Workstation associated Policies above), it will start the NAL workstation helper. At this point, workstation associated applications are retrieved from the network.

NOTE: The NAL workstation helper is started (by default) 2.5 minutes after the Workstation Manager service is started (if the workstation object has not been logged in yet). Since you are offline at this point, the helper is started and is in disconnected mode, thus only showing apps from cache that are marked "Disconnectable". Once started, any cached force run workstation associated apps will be processed. However, not until a refresh of NAL will any workstation associated icons appear to the user. If you need the workstation associated application icons to show to the user before a refresh happens, you should lower the AuthenticateStartHelperCount to 1, as described inWorkstation Associated Applications do not show

NOTE: If the NAL workstation helper is already running before the workstation object logs in, then the NAL workstation helper will be stopped, and then started again upon workstation object login. This is done on purpose so that the workstation helper can be used in online mode. However, this also means Force Run workstation associated applications will run again due to the new session for the helper.

TIP: To see if NAL is connected as the workstation object, run NALDIAG (or hold down F2 while clicking on More inside the Properties of NAL) and the connection state is listed in the upper right-hand corner. Also, you could run MSINFO32 / choose Software Environment / choose Loaded Modules / and look for the existence of ZENAPPWS.DLL
Inventory

As long as the Workstation Inventory policy is read, the policy is scheduled and acted upon accordingly. See the Workstation associated Policies section to determine if the policy is being retrieved.
Remote Management

As long as port 1761 is open between the console workstation and the target workstation, Remote Management functions can work. The IP address that is updated on the workstation object upon login should be the VPN network address. For example, if after a Workstation Only login you have addressA, but after establishing a VPN connection you also have addressB, then the address written to the workstation object should be addressB, so the internal workstations can access the address for Remote Management functions. This address is updated via Workstation Manager immediately after the workstation object authenticates to eDirectory.

NOTE: With most Remote Management settings, the policy that is used is based on the registration state of the workstation - if the workstation is imported, then eDirectory policies will be the only policies in use. If the workstation is not imported, then the c:\program files\novell\zenworks\remotemanagement\rmagent\rmcfg.ini contains the policies in use. However, if the workstation is not imported, the NAT policy is not in affect. The Enable NAT and Prompt User for NAT policies are only in affect when the Directory based authentication is used (ie, the workstation is imported).

Additional Information

Formerly known as TID# 10096902

Feedback service temporarily unavailable. For content questions or problems, please contact Support.