Skip to main content

I am attempting to migrate our Jamf Pro install from a Windows server to a Ubuntu server.  However when set up initially the Jamf URL was changed from https://<fqdn>:8443  to https://<fqdn> 

I really don't want to re-enrol 800 devices so I would like to recreate this on the new server.  However it doesn't seem like it is possible to just create a new connector, or modify the existing in the server.xml as the Tomcat user isn't given permission to ports lower then 1024.

I have attempted to create a reverse proxy using apache mod_proxy which does partially work, but errors out saying the browser will not display the page if another site has embedded it. I have found several threads talking about using a reverse proxy, or changing the Tomcat connectors, but nothing that is different that what I have attempted to use, or that are several years old with solutions are no longer workable.

Does anyone know what to change so I can use port 443 on Ubuntu?

Hi @towens, we are using a configuration similar to what you want. Currently our Jamf Pro servers listen to port 8443 but our devices actually see the Jamf Pro server at port 443. We are using Apache Reverse Proxy server to translate 443 to 8443. We haven't change any parameters in Jamf Pro server except for the option "Enable Remote IP valve" in  Setting > Apache Tomcat Settings > Load Balancer.

This is how it works for us:

  1. Devices initiate communication using port 443
  2. A Cisco firewall routes the traffic to the right proxy server
  3. Apache set up as a reverse proxy server translates traffic from port 443 to 8443

So the Jamf Pro server is protected by the Cisco firewall and is also hiding behind the Apache proxy server.

Hi @towens, we are using a configuration similar to what you want. Currently our Jamf Pro servers listen to port 8443 but our devices actually see the Jamf Pro server at port 443. We are using Apache Reverse Proxy server to translate 443 to 8443. We haven't change any parameters in Jamf Pro server except for the option "Enable Remote IP valve" in  Setting > Apache Tomcat Settings > Load Balancer.

This is how it works for us:

  1. Devices initiate communication using port 443
  2. A Cisco firewall routes the traffic to the right proxy server
  3. Apache set up as a reverse proxy server translates traffic from port 443 to 8443

So the Jamf Pro server is protected by the Cisco firewall and is also hiding behind the Apache proxy server.


Thanks,

I did have that enabled but still had the weird embedded error regardless.

I found a different solution that allowed Tomcat to listen on 443 without using an Apache reverse proxy. 

1. Add a new, or modify the existing, Connector in /usr/local/jss/tomcat/conf/server.xml and set it to use port 443.  If you are modifying change port="8443" to port="443".  I just copied the connector that listens on 8443 and modified the 2nd one to listen on 443.

<Connector URIEncoding="UTF-8" server="Apache Tomcat" executor="tomcatThreadPool" port="443"

2.  Ran:  sudo setcap cap_net_bind_service+ep <path to your java executable> (ie /usr/lib/jvm/java-11-openjdk-amd64/bin/java)

The command allows non-root users, so the Tomcat run user to bind to low numbered ports.

3.  Restarted Jamf

 

Once that was done I could see Jamf was listening on 443 and could browse to the url without adding the :8443. ...

@towens The problem, in my experience with that approach is that every time you update any of the componentes (say Jamf Pro) your changes are wiped. Besides configuring an Apache reverse proxy took us 10 minutes to setup

Terms & ConditionsCookie settingsAccessibility statement