Hi everyone, hopefully everyone is staying safe.
Since the entire MacOS fleet I manage now are working from home due to this pandemic, we are looking to place another distribution point in the DMZ.
Here is what our environment look like.
Right now, I'm telling all macOS users to connect VPN first before using Self Service items.
You should be able to use your existing (public facing) 8443 port - and have your LTM (f5) take care of the traffic with an iRule. The iRule can direct specific traffic to a pool of httpd hosts on port 443.
i.e. Set the irule to redirect any request for "/bar/*" to specific pool https://externalurl.foo.com:8443/bar/package.name
I would recommend you look into an AWS S3/Cloudfront style pkg distribution for the WFH crowd. It will be faster for the Users and JAMF can natively interact with it. You can switch your file distribution over to being the master and sync your internal Package Distribution from it. This would give you the benefit of DEP install pkgs.
@tfahmy That's not an uncommon configuration for DPs in a DMZ if you're still using Jamf Admin to synchronize it, and the ports for SMB are open to the internal network interface but not the public. If you're using some sort of file sync tool, such as
rsync to synchronize the DMZ DP with your Primary DP, you can just leave those ports closed.
Please, never ever put a Tomcat webapp in the DMZ. Use another endpoint like a load balancer, proxy, VIP, or some other type of appliance. The security risk is too high to put web apps in the DMZ. If you are allowed to use Cloud storage like S3 I would highly recommend that over on prem, if you have to use on prem Apache servers aren't too bad and scalable.
@KyleGDG I use Wasabi's S3 clone for personal backups, but the standard pricing is based on you not downloading significantly more data than you have stored. If you could use it for a DP the pricing structure would be different.
What issues are you having with .pkg installs via https? That does require flat packages, but Jamf Admin automatically creates a .zip for any non-flat .pkg when it's uploaded to your Primary DP.