Yes....ZCC and Setup pages can be excluded.

For Normal ZCC Servers you can Restrict ZCC as shown here...
Normally when restirctions are set ...they are set so only internal addressed can be hit.

The Setup page can be restricted the same way but the file to manage is here...

There is also a setting to disable New Device Registration that can be set on a primary.....
however, it would impact all devices....
If you were to use would not want this set on the Primary Internal Devices hit by default.
This restriction not only impacts "New Device Registration" would also impact automatic recovery where a devices registration is lost for unknown reasons.

Quote Originally Posted by mattjones View Post
Hi All,

I'm setting up a reverse proxy so that our home based users can access the ZENworks server without requiring a VPN connection.

What I want to accomplish is that the home users can login, download bundles and get agent updates. I don't need them to be able to install the agent or register the devices as this is done before they leave the office.

I've been looking at the cool solution that is posted here:

We've got it working pretty easily but before I put it into the DMZ I am wondering what the home based machines NEED to be able to get to.

In the cool solution it exposes:

I'd rather not allow access to the zenworks-setup page and also to ZCC. Can these be excluded or will it stop the agent outside the firewall from working?