Skip to main content

Hi all,

Sorry, I'm new to Jamf, web applications and proxy deployment so if you have a better idea, feel free to chime in.

We are working on deploying our Jamf Pro and making it available over the internet. 
We are planning on having two servers in cluster mode and deploying both of them behind a reverse proxy (with load balancing), the reason for us to go with this model is that we want to make the main server with the admin console accessible only if the device is connecting from our company's IP (plus we don't want to expose the admin console to the internet), now the two servers currently don't have DNS records only IP addresses which I'm thinking to use on the reverse proxy. (One of the major problems for us is that we can't have the same FQDN on both the internal and external DNS and split DNS is not an option, our External DNS reroute to our internal)

Has Anyone configured Jamf Pro behind a reverse proxy before, who can share how they did it?
What settings have to be changed on Jamf itself? (I only found an option under "Apache Tomcat Settings" to set up load balancing but nothing else. While using a reverse proxy can I replace the self-signed certificate for Jamf with a trusted SSL certificate (we had issues with manual enrollment when using the self-signed certificate)

I know many people will suggest going with Jamf Cloud and I appreciate your input but unfortunately, it is not an option for us.

Thanks in advance!

When I was on-prem several years ago we had two instances; one internal with no outward exposure and another in the "DMZ" with port limited exposure internally to the other instance. There is documentation for this here.

I also tried a load balancer/reverse proxy for two months before switching to a cloud instance. Our team is small and I'm the only person with the technical knowledge to keep it going. I kept having the thought that when that breaks and I'm not around, who's going to fix it? Not to say it wasn't stable it was just too complex.

When I was on-prem several years ago we had two instances; one internal with no outward exposure and another in the "DMZ" with port limited exposure internally to the other instance. There is documentation for this here.

I also tried a load balancer/reverse proxy for two months before switching to a cloud instance. Our team is small and I'm the only person with the technical knowledge to keep it going. I kept having the thought that when that breaks and I'm not around, who's going to fix it? Not to say it wasn't stable it was just too complex.


Thanks @mainelysteve , I wish I could switch to Jam cloud but it's against the company policy. I read Jamf's DMZ solution but sadly it's impossible for us to have the same FQDN externally and internally due to our DNS configuration.

I agree with you, it's too much extra work to handle and just like you, we're small team as well (4 people who take care of 500+ employees.)

I'm honestly only lost when it comes to what needs to be done on Jamf's side and what needs to be done for the SSL certificates.

Thanks @mainelysteve , I wish I could switch to Jam cloud but it's against the company policy. I read Jamf's DMZ solution but sadly it's impossible for us to have the same FQDN externally and internally due to our DNS configuration.

I agree with you, it's too much extra work to handle and just like you, we're small team as well (4 people who take care of 500+ employees.)

I'm honestly only lost when it comes to what needs to be done on Jamf's side and what needs to be done for the SSL certificates.


I used nginx for my load balancing(on prem servers only) and placed a server in the DMZ for outside access. Same setup essentially you just need to make the necessary changes to Tomcat and then for your outside access server turn off the web application i.e. console.

https://docs.jamf.com/10.37.0/jamf-pro/install-guide-linux/Configuring_Tomcat_to_Work_with_a_Load_Balancer.html

https://speakerdeck.com/jamf/scaling-jamf-pro-for-high-availability?slide=12 (from 2018 but still relevant).

 

I used nginx for my load balancing(on prem servers only) and placed a server in the DMZ for outside access. Same setup essentially you just need to make the necessary changes to Tomcat and then for your outside access server turn off the web application i.e. console.

https://docs.jamf.com/10.37.0/jamf-pro/install-guide-linux/Configuring_Tomcat_to_Work_with_a_Load_Balancer.html

https://speakerdeck.com/jamf/scaling-jamf-pro-for-high-availability?slide=12 (from 2018 but still relevant).

 


Thank you so much for the hint.
May I ask how did you handle the certificates? Did you use the same certificate that you used on the load balancer?

I've created an Nginx reverse proxy with load balancing that forwards everything to the IP address of the servers (clustered), but for the enrollment to work you need a valid certificate.

Thank you so much for the hint.
May I ask how did you handle the certificates? Did you use the same certificate that you used on the load balancer?

I've created an Nginx reverse proxy with load balancing that forwards everything to the IP address of the servers (clustered), but for the enrollment to work you need a valid certificate.


I believe I used Lets Encrypt which I then used the resulting cert to terminate SSL at the Load Balancer.

You can do it two ways essentially. Each Jamf Pro server can have it's own cert(preferably a wildcard cert) and communicate to the load balancer over 443 or you could terminate SSL at the load balancer and any communication between the LB and your Jamf Pro servers will be on a regular http port i.e. 8080. In either scenario the jamf pro url gets the load balancer cert.

https://docs.jamf.com/technical-articles/Network_Ports_Used_by_Jamf_Pro.html

Don't take my word as gospel though. I was rusty when I set it up and that was back in 2018 so my memory of that setup has faded some.

I believe I used Lets Encrypt which I then used the resulting cert to terminate SSL at the Load Balancer.

You can do it two ways essentially. Each Jamf Pro server can have it's own cert(preferably a wildcard cert) and communicate to the load balancer over 443 or you could terminate SSL at the load balancer and any communication between the LB and your Jamf Pro servers will be on a regular http port i.e. 8080. In either scenario the jamf pro url gets the load balancer cert.

https://docs.jamf.com/technical-articles/Network_Ports_Used_by_Jamf_Pro.html

Don't take my word as gospel though. I was rusty when I set it up and that was back in 2018 so my memory of that setup has faded some.


Thank you so much! That's exactly what I wanted to know.
I'm terminating the SSL at the load balancer so I should be fine. All I need to do now is change the Jamf Pro URL to the address of the load balancer.

Thank you again for all your help!

Reply


Terms & ConditionsCookie settings