I am trying to set up ZCM to allow me to remote control workstations that are outside of our firewall, or an easier way to say it, over the Internet. For testing, I have my internal network and a Wi-Fi network at work, where the Wi-Fi does not have any access to our internal network, so is essentially an off-network location.

I have an external DNS and NAT set up so that either on or off network, laptops can resolve the server address. I'm trying to set this up as an only open what is needed method, so I started with all traffic to and from my ZCM server as being blocked. The first thing that I noticed when I tried to refresh my laptop from the Wi-Fi network was that it was trying to connect over port 443, after allowing that my server tried sending traffic on port 7628. After opening the port, I saw that the laptop started pulling updates from the server and the server identified the external IP address that the laptop was using. If I tried to remote the system it just bombed out when trying to connect.

In my testing I have gone as far as opening ports 2645, and 5950 both to and from my ZCM server, which has not yet allowed for me to connect. I'm not seeing any more traffic being blocked by my firewall, not even these ports when I was not allowing traffic (which I'm back to blocking while I'm at this roadblock).

One thing that I would also like to do if it is possible is to block access to the ZCM console login page from systems outside of the network. I know that it is possible with standard html pages, as I've done this with other services that are stored in the /srv folder on the server, but I'm not finding the ZCM files in there. Even though it is using SSL, I just don't want to have the possibility of a hacker with too much time finding my admin console and being able to sign in and toy with any of my settings.