Service Manual

ManualsBrandsDell ManualsConverged InfrastructureWyse Management Suite

You can also enable or disable Device Enrollment Validation from Portal Administration page.

Network security

Default installation of Wyse Management Suite establishes HTTPS protocol communication.

● Network exposure—The following table lists the network ports that are supported on Wyse Management Suite. The ports

are open by default when you install Wyse Management Suite.

Table 1. Network exposure

Service name Port TCP or UDP Summary

Dell On-Premises

Private Cloud

443(Recom

mended),

8080

TCP Security recommendation is to enable the 443 port to ensure

the secure way of communication.

Dell Secure MQTT

Service

8443 TCP By default 8443 port is open with the installation to ensure a

secure connection with MQTT.

MQTT Broker agent

Service

1883 TCP This port is also open post installation.

EMSDK 5172, 49159 TCP Optional and enabled only to manage Teradici devices.

Network vulnerability scanning is performed on Wyse Management Suite and there are no security issues on the networked

subsystems or interfaces. If you discover a security issue, you are encouraged to report it to Dell immediately. See, Reporting

security vulnerabilities.

● Communication security settings—By default Wyse Management Suite enables HTTPS protocol for communication.

Additionally, you can enable the following secure communications:

○ Secure communication to MQTT using port 8443.

○ LDAPS protocol for AD integration. For more information, see Dell Wyse Management Suite 3.2 Administrator's Guide at

https://www.dell.com/support/manuals.

Data security

● Data at Rest—The data is encrypted and stored in a database. Access to the database is restricted and you cannot access

the database remotely. Also, passwords or any secure information is not displayed.

● Data in Flight—In order to ensure the security, regular updates to the cipher's enablement and disablement must be

adhered for Wyse Management Suite. The following list of ciphers can transmit secrets securely:

○ TLS_AES_128_GCM_SHA256

○ TLS_AES_256_GCM_SHA384

○ TLS_AES_128_CCM_SHA256

○ TLS_AES_128_CCM_8_SHA256

○

TLS_CHACHA20_POLY1305_SHA256

● Data integrity—Wyse Management Suite does not allow you to publish or expose user data or sensitive data in logs or in

any format. Wyse Management Suite ensures to send sensitive data either in Post Request body or in Request headers. But

does not allow in HTTP GET query strings.

Configuring Transport Layer Security

The Wyse Management Suite on-premise installer is improved to select the Transport Layer Security (TLS) version during the

installation or upgrade. You can also enable the TLS versions using the Portal Administration page.

NOTE:

The recommended version of Transport Layer Security is 1.2. Ensure that you select all the appropriate versions of

TLS based on the device agent and the merlin image. Older versions of Windows Embedded System, Wyse Device Agent

(versions below WDA_14.4.0.135_Unified), and 32-bit merlin image versions are only compatible with TLS version 1.0.

Product and subsystem security 9