Skip to main content
Question

JSS on DMZ, failed installs

  • November 11, 2014
  • 4 replies
  • 19 views
ImAMacGuy
Forum|alt.badge.img+23

For those of you with the JSS on the DMZ, how are you handling the policies that fail if a machine is not on the network (and therefore not able to mount the internal servers).

We have about 200 subnets and about 50-60 buildings setup, but when a machine checks in from their home network, the JSS doesn't update with the unknown building, it leaves the last one it checked in with. This means I can't create a SG that says if "not in building, or building, or building, etc". And as we standup or shut down sites, I'm rarely notified (if ever, usually I stumble upon an IP range and then have to go ask someone if it's new or not) - so doing it by ip ranges doesn't seem feasible either.

Is my only other option to enable file shares on the DMZ? there's gotta be a better way.

    4 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • November 11, 2014

    Set up some externally facing distribution points (that's what we have in place), and make sure you have all your Network Segments set up properly. Create one all encompassing catch Network Segment called "internet" with a range from 1.1.1.1 to 254.254.254.254. Basically, any Macs that check in from an IP that doesn't fall into any of the other Network Segments means its on the outside. Fortunately Network Segments work from smallest to largest, so if a Mac has an IP that fits into one of the smaller ranges, it gets assigned to that NS.

    Then. assign the externally facing distribution point(s) to that "Internet" Network Segment.

    The only other thing will be making sure they all stay in sync, so packages/scripts, etc added to your Master DP gets synced to the others, including the external one.

    EDIT: Ok, sorry I didn't see that actually keeping your Network Segments all up to date wasn't really viable for you. I see that now. Honestly, that's going to be a tough one to solve then. Any way you can ensure you get notified when new ones are set up? Ask to be included in emails that are sent around perhaps so you can stay on top of them? Without having valid Network segments, its going to be a bit difficult to get this to work. But maybe someone else has a better idea.

    ImAMacGuy
    Forum|alt.badge.img+23
    • ImAMacGuy
    • Author
    • Esteemed Contributor
    • November 11, 2014

    I didn't realize that's how it worked, so that helps a lot. I will give that a shot. Thank you!

    R
    Forum|alt.badge.img+18
    • rderewianko
    • Honored Contributor
    • November 12, 2014

    @jwojda take a look at what Expeida's IT presented at JNUC2014
    https://github.com/Expedia-IT-CTE/ Radar!
    They utilize it for having the computer tell the JSS what server to talk to.
    I put it in, to utilize the same usability but also the false positives when casper fails over to our external DP.

    ImAMacGuy
    Forum|alt.badge.img+23
    • ImAMacGuy
    • Author
    • Esteemed Contributor
    • November 12, 2014

    thank you, I'm giving it a shot now.

    Terms & ConditionsCookie settingsAccessibility statement