Skip to main content

I'm looking for a little advice.



We currently have our Casper server on an outside routable IP
address. Over the past few years we have
been putting most of our sites (50 in total) behind firewalls.
Currently the site where the Casper server
is located has VPN tunnels that route from the IP range that it is on
to all of the tunneled sites. We have been
gradually moving things at this side to internal IP addresses. That
pass through from that outside range to the
VPN tunnels may eventually go away.



My choices seem to be as follows :




  1. Leave the Casper JSS server on the IP it is on. A real outside
    routeable IP. This would just means that
    the clients have to go outside the firewalls to contact the JSS
    server. The VPN between this outside address
    and the other sites may remain for a few months to a year, but will
    eventually go away. But the clients should
    still be able to go to the outside and contact the JSS. The JSS server
    would essentially be in the DMZ on
    an outside routable IP.


  2. Move the Casper JSS to an IP on the inside. It will then be on an
    inside address, but that address will have
    VPN tunnels to all of the other sites. I'm pretty sure that most of
    the clients have been reconed using the
    host name of the Casper server. Hopefully they memorize that instead
    of the IP address. If thats the case once
    I chance the DNS entry for the Casper JSS server they should all be
    able to still contact the JSS. I have done
    a little asking around and apparently some folks have Reconed some
    machines using the IP address instead of
    the host name of the JSS server. I wonder if there is a way to have a
    policy correct all that ?


  3. Keep the outside IP as the Casper JSS servers DNS entry, but move
    the Casper JSS server to an inside
    IP and put all of the port mappings in place on the firewall. This
    would allow a machine on the outside to still
    contact the JSS. I think machines on the inside would just pass
    through as well.




I was wondering how many many of you have a JSS server inside behind a
firewall ?



Just thought I would ask if any of you had any advise on what route I
should go. I'm just trying to understand the implications
and figure out what might be the best route to go.



Also are there any other gotchas to changing the IP that a JSS server
is on.



Roger Corbin
Richmond School District #38

All of our servers are behind the firewall but have rules to allow their
specific services through. The JSS has a private IP address, but on the
public side of the firewall also has a public IP address. So, it's up to
DNS to route to the public vs. private IP's based on whether they're on our
network or not. For me is was an easy decision to make the JSS publicly
available but like all of our other servers, it has a private address and
that's how it actually sees the world.



As far as changing the IP of the server, it's probably just the standard
gotchas of OS X, eg. Check the DNS, then check the DNS, then check the DNS,
then run the changeIP command, then check the DNS.



Thanks,
John



--
John Wetter
Technology Support Administrator
Educational Technology, Media & Information Services
Hopkins Public Schools
952-988-5373

Reply


Terms & ConditionsCookie settings