Akamai as a Cloud DP

lisacherie
Contributor II

We are making the switch to a cloud DP - and chose Akamai.

It took us a bit of effort to get it working, the info in the admin guide was a bit slim. I made some notes with the info that would have made it easier to get started.

Hope it helps, if you are considering moving to Akamai.

http://lisacherie.com/?p=227

8 REPLIES 8

SeanA
Contributor III

@lisacherie Not considering it, though I want to give you props for sharing your experiences! Thanks!

danielslijper
New Contributor
New Contributor

Awesomeness!

rczachs
New Contributor

Since this site seems offline now....is there any way you could share this information again? Since i am a bit lost right now in that configuration...

Thanks!

prbsparx
Contributor II

Have any of you actually gotten this working?
Looks like the original URL is dead.

jimmy-swings
Contributor II

Hey @lisacherie - are you able to post the original article? It sounds like a great read!

lisacherie
Contributor II

My blog was taken down after security advice. The blog was getting sudden, ongoing, exponentially disproportionate traffic with many failed auth attempts from Eastern Europe and parts of Asia.

I will look for my archives and post the article here once found.

Considering I had posted source code excerpts and some security related content, and the very small audience my blog previously received were administrators of large Mac fleets at many large organizations and verticals, it’s a reminder to check each line of code for scripts and other resources obtained online and validate checksums when possible.

As an individual I do not hold the skills or resources to ensure integrity of the blog so I chose to take it offline, and appreciate the advice from the individuals who helped me at that time.

Endpoint and management tool security is a real concern and I can’t stress enough to listen and work closely with your security teams.

Lisa.

lisacherie
Contributor II

Here is the old post about Akamai as a DP.

Re-reading what I wrote, I did not put emphasis on using https which your akamai account rep will assist you to do, and will require your organization providing a certificate to Akamai.

Another point I did not emphasise is restricting the uploads, due to the uploads taking place over FTP, a trusted jump host should be used. The Akamai Luna panel allows whitelisting by IP specific hosts that are allowed to provide uploads to your account. This should create an acceptable risk for the FTP uploads, and use security hygeine such as regularly rotating this account.

If done right the downloads using the unique tokens should offer greater security than other traditional https or fileshare distribution points.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Getting tired of maintaining Distribution Points? the load balancers? and scoping them to clients? so were we. Got regional performance problems? some new office opening in insert obscure location far away from the existing infrastructure... Time to think about using a cloud based service.

Akamai ended up being our choice, however there were a few holes in the administrators guide - hopefully this will see you through.

Make contact with Akamai - you will need to request the following:

  • NetStorage account using FileStore
  • FTP account to be used for uploading to NetStorage
  • UploadURL preference eg. dpupload

Akamai will then provide you with a directory (6 digit number).

Now it's time to enter all of these settings into the JSS/jamfPro, however the UI is a bit misleading.

Username - provided by Akamai
Password - provided by Akamai

Upload URL eg. ftp://dpupload-yourcompany.akamai.com

Directory - enter this with beginning and trailing “/” (as of version 9.96)

Eg. “/123456/”

Entering the directory without the beginning and trailing / will result in errors saving the configuration. I'm led to believe this is not intended, so I suspect in a future release those slashes will not be required for this field.

That takes care of the uploads - now you need to request an EdgeKey account for the downloads of your distribution point files.

Eg. dpdownload.companyname.com

You will need to make a CNAME DNS record - pointing to dpdownload.companyname.com.edgekey.net

In the download URL field enter the URL, with the 6 digit directory at the end (as of version 9.96) Again I'm not sure this is intended, maybe in the future the directory will be automatically populated.

https://dpdownload.company.com/123456

Once you've done this much you likely have an Akamai DP, which will need syncing (luckily you can easily sync with Casper Admin before making this your master if desired).

However, there are some security considerations to think about...

  • FTP.. really?. please vote up this feature request: https://www.jamf.com/jamf-nation/feature-requests/2112/secure-file-transfer-to-cloud-storage-akamai

You should also use package checksums if not already enabled, since the packages are now in someone else's data center and put there using a protocol that sends passwords in clear text 😞

Open Casper Admin, select all the packages with out a checksum, and right click to have the checksums created - save.

Within the web app navigate to: Computer Management -> Security , from the Package Validation menu select always.

You also want to use remote authentication so you aren't handing out free copies of your company packages. Your JSS/jamfPro needs to be in the DMZ (I'm assuming it already is, since you are looking at a cloud dP).

When using remote authentication a URL in the following format will be generated from the JSS when a request for a package is generated from a policy.

https://yourjss.company.com:PORT/akamairemote/verify/PACKAGENAME.PACKAGEEXT?expires=GENERATED&salt=GENERATED&hmac=GENERATED&token=GENERATED

Akamai will need sample URL for testing, the sample URL can be generated by creating a test policy, and looking at the URL in the policy logs for a test client that has run the policy.

This should be enough to get you started - let me know if I've left out anything!

Berrier
Contributor

@lisacherie are you still using Akamai as a cloud DP? We're thinking our going the same way. Any lessons learned since this post was last updated that we should be aware of?