Tomcat security

Take a look here. I think this may do what you want-

https://jamfnation.jamfsoftware.com/article.html?id=174

It does, as you can limit the 2nd JSS instance to just management (no admin) but would require me to have 2 JSS instances. If a solution could be found without 2 instances, such as via a Tomcat configuration, I would love to see if that's possible as well.

Thanks!

You may be able to kludge something together by putting a second NIC in your JSS and putting that NIC in the DMZ. Then you'd be able to use firewall rules to limit what ports traffic from that port could hit.

I'm just thinking out loud here and wouldn't really attempt it myself. You don't want your database anywhere near the outside world, IMHO.

There's a reason you'd set up this "micro-instance" on a box that is separate from your crown jewels.

That is a good point Jared, but even for the DMZ, nothing is open to the JSS server except ports 8443, 2195, and 5223.

Any tomcat configuration wizards? Otherwise I'll look at bringing up a 2nd JSS instance.

I'd have to agree with Jared here. Following the kb article would be best practice for this if there is a concern about exposing your JSS to the outside. And its not really 2 JSS instances, but really a Tomcat instance that acts like a traffic cop, routing external traffic to your internal server over the MySQL port. it doesn't have to be some full blown server. A Mac mini or an Ubuntu VM or the like would generally suffice. Keeping them on separate boxes or instances provides better protection in the event that the DMZ server gets compromised in some manner.