Accessing ZENworks server through Access manager Agent problem.

We are trying to establish access to ZCM primary server in DMZ through Access Manager reverse proxy.

I think, that there is problem with ZCM agent. It starts regstration, connects to server, bu then allways says "Could not determine device type from <OS> tag: unsupported".

It's definitely supported OS : Windows 10 22H2.

I set agent's logs to DEBUG. I think (correct me if I'm wrong) that agent connects to server, resolves it's IP (which is IP of Access manager serving multiple "hosts" by name) and then tries all of it's communication using IP in URL's. Thes communication can not be passed by AM further to ZCM server, beaciuse it does not know to whom to pass it - lacking hostname in URL.

Is there a way to persuade Agetn to use hostname in communication?

This is what I get (I changed real IP and gost name in this post.) :
NAM (Access Manager) public IP : 88.88.88.88
Our Zenworks DMZ server hostname, publicly resolvable to AM's IP 88.88.88.88 : mdm.server.si
Machine's ZEN agent is istalled with custom package that has only hostname mdm.server.si as primary server (no IP's). There are also no unresolvable IP's in server's configuration.

---------------

Zen-agent cheks certificate and finds no errors (it's certificate for *.server.si on access manager)
[TRACE] [12/13/2024 10:50:38.812] [2740] [ZenworksWindowsService] [100] [] [RegistrationModule-CertValidation] [] [Certificate Details: Subject: CN=*.server.si
...
[TRACE] [12/13/2024 10:50:38.812] [2740] [ZenworksWindowsService] [100] [] [RegistrationModule-CertValidation] [] [SslPolicyErrors.None] [] [] [] [ZENworks Agent]

Tries registration URL (we see that communication on mdm resource on NAM and on MDM server)
[DEBUG] [12/13/2024 10:50:38.890] [2740] [ZenworksWindowsService] [100] [] [RegistrationManager] [] [Registration ping successful at https://mdm.server.si/zenworks-registration/registration] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.906] [2740] [ZenworksWindowsService] [100] [] [CertManager] [] [Input list of host names : mdm.server.si, output List : mdm.server.si->88.88.88.88] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.906] [2740] [ZenworksWindowsService] [100] [] [ZenCache] [] [(Thread 100) PutObject(certManager.CertSubjectAltName::*.server.si, UserContext{_LocalId=none; _RemoteId=(Public)}) called] [] [] [] [ZENworks Agent]

Obviously resolves server name to IP and tries to connect to IP (and gets forbidden -403) because IP is the same, but holds more than one hostname (it is reverse proxy and does not knnow this traffic is intended to MDM)
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FindFirstContent()] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [Connection status of host: mdm.server.si is not known] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FSR: called with following sources: ] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [https://mdm.server.si/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:GetInstance Creating new instance] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:GetInstance Added the new instance with id 69 into _instanceList] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:CTS id = 69 Checking https://mdm.server.si/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:CHS id = 69 Adding host: mdm.server.si, status: Unknown] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [75] [] [ConnectMan] [] [ST:FFGS id = 69 Waiting on status of https://mdm.server.si/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:FSR id = 69 Waiting for the first good source to be found] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:GIP id = 69 Resolving DNS for mdm.server.si] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:CTS id = 69 Host: mdm.server.si, IP address: 88.88.88.88] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:GIP id = 69 Adding IP address: 88.88.88.88] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:CIPL id = 69 Adding IP Uri https://88.88.88.88/zenworks-registration/v2/ostargets.xml status: Unknown] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.953] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:PIMS id = 69 Pinging location: https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
DEBUG] [12/13/2024 10:50:38.984] [2740] [ZenworksWindowsService] [28] [] [ConnectMan-ping] [] [ Protocol error connecting to: https://88.88.88.88/zenworks-ping/ HTTP status: 403 - Forbidden] [] [] [] [ZENworks Agent]

In spite of getting 403 it marks 88.88.88.88 as good ? And trying to get ostargets.

[DEBUG] [12/13/2024 10:50:38.984] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ Setting location name https://88.88.88.88/zenworks-registration/v2/ostargets.xml to status Good] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.DEBUG] [12/13/2024 10:50:38.984] [2740] [ZenworksWindowsService] [28] [] [ConnectMan-ping] [] [ping returned: True] [] [] [] [ZENworks Agent]
[DEBUG]984] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:PIMS id = 69 Setting location https://88.88.88.88/zenworks-registration/v2/ostargets.xml, IP address 88.88.88.88, and host mdm.server.si to status: Good] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:38.984] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ST:CTS id = 69 Done with checking: https://mdm.server.si/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [75] [] [ConnectMan] [] [ST:FFGS id = 69 Found good source location https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:FSR id = 69 first good source found] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:FSR id = 69 Decremented _currentCallersCount to 0] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:FSR id = 69 Returning https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [81] [] [ConnectMan] [] [ST:Cleanup id = 69 Waiting for all threads to finish] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [81] [] [ConnectMan] [] [ST:Cleanup id = 69 _currentCallersCount = 0] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [81] [] [ConnectMan] [] [ST:Cleanup id = 69 Removing this instance from _instanceList] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FSR: ServerTracker returned https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FSR returning null] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [Entered FindServerFromBusyList] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [Connection retry count from settings handler is: 21] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FindServerFromBusyList() Found host: mdm.server.si, status: Good] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ IP address 88.88.88.88 marked Good] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [GetGoodOrBusyIp() returning 88.88.88.88] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [Exited FindServerFromBusyList with server https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FindFirstContent()] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [Connection status of host: 88.88.88.88 is not known] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FSR: called with following sources: ] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:GetInstance Creating new instance] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ST:GetInstance Added the new instance with id 70 into _instanceList] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [108] [] [ConnectMan] [] [ST:CTS id = 70 Checking https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [108] [] [ConnectMan] [] [ST:CHS id = 70 Adding host: 88.88.88.88, status: Unknown] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [108] [] [ConnectMan] [] [ST:CTS id = 70 Host: 88.88.88.88, IP address: 88.88.88.88] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [108] [] [ConnectMan] [] [ST:CIP id = 70 Using IP address: 88.88.88.88, status: Good] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.266] [2740] [ZenworksWindowsService] [108] [] [ConnectMan] [] [ST:GIP id = 70 Built location: https://88.88.88.88/zenworks-registration/v2/ostargets.xml using IP address 88.88.88.88] [] [] [] [ZENworks Agent]

And gets 403 ...... and says "Could not determine device type from <OS> tag: unsupported"
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ZenFile] [] [Unexpected exception getting ZenFileInfo for https://88.88.88.88/zenworks-registration/v2/ostargets.xml: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at Novell.Zenworks.ZenFileInfo..ctor(String fileName)] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FindNextContent: badUri: https://88.88.88.88/zenworks-registration/v2/ostargets.xml, Exception: The remote server returned an error: (403) Forbidden.] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FindNextcontent called with following sources:] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [https://88.88.88.88/zenworks-registration/v2/ostargets.xml] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [WebException: The remote server returned an error: (403) Forbidden., Status: ProtocolError] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [FindNextContent: Not trying to retry. Ignoring this retry] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [Marking IP Location https://mdm.server.si/zenworks-registration/v2/ostargets.xml: Bad] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [WebException] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [The remote server returned an error: (403) Forbidden.] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [WebExceptionStatus: ProtocolError] [] [] [] [ZENworks Agent]
[DEBUG] [12/13/2024 10:50:39.297] [2740] [ZenworksWindowsService] [100] [] [ConnectMan] [] [ at System.Net.HttpWebRequest.GetResponse()
at Novell.Zenworks.ZenFileInfo..ctor(String fileName)] [] [] [] [ZENworks Agent]

Manually (by browser) opening 88.88.88.88/.../ostargets.xml gets Access managers response "Access forbidden! Host name received is not for this web site." That's what Agent tries.
Manually (by browser) opening zen.server.si/.../ostargets.xml opens ostargets.xml file. So this is what we want !

The question is : Is there a way to persuade Agetn to use hostname in communication?

  • 0  

    During Registration...The Agent will use any Address you specify....so your custom package could specify the other IP address.

    Does the Server Cert include the Public DNS Name?  MDM....?  If not I would recommend updating the SERVER's Cert  (No need to touch the CA) to include the MDM name.

    You may want to include the PUBLIC DNS name under the Server Properties in the ZCC under Infrastructure Management and Additional DNS Names.

    In ZCC->Configuration->Infrasturcture Management->MDM , I would review any restrictions in place....You may be blocking access from the IP ranges that are needed for your Proxy and the Remote devices....

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    mdm for Android devices from same server works just fine.

    Just registration and communication from Windows agents don't.

    hostname is the same for "inside use" and from outside. From inside is mdm.server.si also. while creating custom agent package I removed all IP's from "Primary servers list" and left only mdm's hostname.

    Cert on AM is wildcard so that we do not need to request new when we add new service with new hostname for access. It's *.server.si so it should cover mdm.server.si.

  • 0   in reply to 

    Doubt any of this would help...but I would confirm again your MDM settings, on what is or is not blocked permitted....

    But also maybe add the external IP to the OSP setup.....

    https://www.novell.com/documentation/zenworks-24.4/zen_cm_deployment_bp/data/t4mm81spoqza.html

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Hi Craig,

    Adding external IP will not help.

    Access Manager reverse proxy's main function is to serve as a gateway for more than one service. Each service is on it's ovn URL (hostname) on same IP.
    It routes traffic according hostname it recives in header.
    so : opening zen.server.si/.../ostargets.xml opens ostargets.xml file
    If it recieves IP, than it does not know to which service to route it,
    trying : 88.88.88.88/.../ostargets.xml gets Access managers response "Access forbidden! Host name received is not for this web site."

    I'm almost sure that this is the source of the problem.
    - Agent tries mdm.server.si/.../registration
    - Gets succes and marks mdm.server.si as OK.
    - Resolves mdm.server.si to IP (eg. 88.88.88.88 ) and
    - tires 88.88.88.88/.../ostargets.xml
    DEBUG] [12/13/2024 10:50:38.984] [2740] [ZenworksWindowsService] [28] [] [ConnectMan-ping] [] [ Protocol error connecting to: https://88.88.88.88/zenworks-ping/ HTTP status: 403 - Forbidden] [] [] [] [ZENworks Agent]
    - gets 403 forbidden (!!!!)
    - and then marks location as GOOD ????
    [DEBUG] [12/13/2024 10:50:38.984] [2740] [ZenworksWindowsService] [28] [] [ConnectMan] [] [ Setting location name https://88.88.88.88/zenworks-registration/v2/ostargets.xml to status Good] [] [] [] [ZENworks Agent]
    - After that it is trying to connect to IP and fails, therefore communication to ZCM server is not working.
    - It does not get ostargets.xml therefore it says : "Could not determine device type from <OS> tag: unsupported"

    For working successfuly through reverse proxy it should allways connect to "servername" never to IP.

    There should be a way to tell the agent to use "hostname" in communication instead of IP.
    Did anyone established connection to zenworks server through Access Manager proxy and how ?