I did a search in the ZCM 10 and ZCM 11 forums, so excuse me if I missed this.

I have looked at a number of ZCM 10 and ZCM 11 documents which explain the ports which need to be open on managed devices in order for the ZCM server to communicate properly (e.g. Novell Documentation ), and I have seen references that basically say that when installing the ZCM agent, the installer will open up the necessary holes in the Windows firewall (you will need to manually configure 3rd party firewalls if you use them).

I have a clean install of Windows 7 Pro x64. I took a look at all of the Inbound firewall rules, verified nothing related to ZCM was listed; then I installed the ZCM 11.2.0 agent and looked at the Inbound rules again. There were now 4x new ZCM-related rules; two groups of two, each group having a TCP rule and a UDP rule for the same program. The programs were "C:\Program Files (x86)\Novell\ZENworks\bin\nzrWinVNC.exe" and "C:\Program Files (x86)\Novell\ZENworks\esm\ZESService.exe".

In the ZCM 11 documentation I referenced above, it does not specify which programs to make exceptions for, but the ports you should make exceptions for.

My question is, in addition to the "program" exceptions made by the ZCM agent installer, do we also have to create exceptions for the ports listed in the docs:
  1. ZENworks VNC (5950) TCP - Open on the managed device. Allows remote control and other remote operations to be performed. Communication is between the managed device and the Administration Console.
  2. Agent Management Port (TCP 7628) - Open on managed devices used to send quick tasks to the managed device. Communication is between the Primary Server and the Agent.

Or is this effectively covered by the program exceptions created by the ZCM agent installer?