ZENworks Configuration Management able to configure/enforce user-policies on a Windows-Terminal-Server?

The setup today sees an old Edir 8.8 SP4 (Netware) which holds the user-data for authentification to the data-server (Netware).

Network-access for the users come from thin clients against a Windows-Terminal-Server, from where the authentification takes place through the OES Client (so users exist in Edir and locally on the WIndows-Server).

In this setup we do not have an AD and all restrictions for the users on the Windows-Terminal-Server (which drives are shown, which settings are available etc) were done with manual editing of GPOs.

This has quite some limitations when compared with AD-deployed GPOs.

The question is if ZENworks can assist in rolling out user-policies more convenient and with more features like AD-based policies to the Windows-Terminal-Server to prepare for an upgrade of the Windows-Server in the foreseeable future.

Regards

Karl

  • Verified Answer

    +1  

    Yes, ZCM Supports applying GPOs in a Terminal Server Environment w/o Active Directory.

    The bigger issue is you would be limited to ZCM 20.2 or older, which is no longer in support.  The issue is your old version of eDir only supports TLS 1.0, which is no longer supportable from a security perspective and is blocked on later versions of ZCM.

    NetWare has been replaced by OES, which is Linux Based but supports edir 9.x and still acts just like NetWare.

    OES can also emulate AD, so a user could log into the Terminal Server with their eDir Creds but The Terminal Server would treat it like an AD account for both login as well as GPO purposes.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Thanks for pointing at the TLS-thing.

    I just read - at some point - about compatibility of ZENworks with Edir 8.7.3 and felt safe on that side.

    That would have been quite a bad surprise.

    There is no way of switching ZENworks down to TLS 1.0 (as possible with Firefox i.e.)?

    Regards

    Karl

  • Verified Answer

    +1   in reply to 

    It may be possible but not easy and may break every time you apply a patch due to docker containers.  There are TLS settings specific to the LDAP Source and one for Agents Connecting to the server.  Your concern would be the ones about connecting to the LDAP Source.  I have fixed those up on an emergency basis, with the understanding they had to upgrade their eDir as soon as they could to a supported version.  

    You have to go into Docker containers and edit some Java Security Files to allow Java to connect to the old versions.  So it is possible, or at least at one point in time it was possible.....I believe the limitation was introduced in 20.3 due to Java Version updates....I've not had to help anyone with it for a while.....

    So if you go down that path...it may be possible, but would likely take require constant fiddling inside docker containers after every patch.  At some point, Java or other products may totally drop support for TLS.  My other concern would be Ciphers....Not sure if eDir that old still has supported Ciphers.  It's been a LONG time since I've been aware of a  customer trying to use eDir that old.  Again it may be possible, but may require additional java security settings to permit long since broken ciphers.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Thanks again for this explanation.

    There is much to be thought about now.

    Regards

    Karl