Help

Casper Behind vs Outside The Firewall

Not applicable

Posted on ‎09-03-2009 02:37 PM

I'm looking for a little advice.

We currently have our Casper server on an outside routable IP address. Over the past few years we have
been putting most of our sites (50 in total) behind firewalls. Currently the site where the Casper server
is located has VPN tunnels that route from the IP range that it is on to all of the tunneled sites. We have been
gradually moving things at this side to internal IP addresses. That pass through from that outside range to the
VPN tunnels may eventually go away.

My choices seem to be as follows :

  1. Leave the Casper JSS server on the IP it is on. A real outside routeable IP. This would just means that
    the clients have to go outside the firewalls to contact the JSS server. The VPN between this outside address
    and the other sites may remain for a few months to a year, but will eventually go away. But the clients should
    still be able to go to the outside and contact the JSS. The JSS server would essentially be in the DMZ on
    an outside routable IP.

  2. Move the Casper JSS to an IP on the inside. It will then be on an inside address, but that address will have
    VPN tunnels to all of the other sites. I'm pretty sure that most of the clients have been reconed using the
    host name of the Casper server. Hopefully they memorize that instead of the IP address. If thats the case once
    I chance the DNS entry for the Casper JSS server they should all be able to still contact the JSS. I have done
    a little asking around and apparently some folks have Reconed some machines using the IP address instead of
    the host name of the JSS server. I wonder if there is a way to have a policy correct all that ?

  3. Keep the outside IP as the Casper JSS servers DNS entry, but move the Casper JSS server to an inside
    IP and put all of the port mappings in place on the firewall. This would allow a machine on the outside to still
    contact the JSS. I think machines on the inside would just pass through as well.

I was wondering how many many of you have a JSS server inside behind a firewall ?

Just thought I would ask if any of you had any advise on what route I should go. I'm just trying to understand the implications
and figure out what might be the best route to go.

Also are there any other gotchas to changing the IP that a JSS server is on.

Roger Corbin
Richmond School District #38

0 Kudos
1 REPLY 1

John_Wetter
Release Candidate Programs Tester

Posted on ‎09-04-2009 06:13 AM

All of our servers are behind the firewall but have rules to allow their
specific services through. The JSS has a private IP address, but on the
public side of the firewall also has a public IP address. So, it's up to
DNS to route to the public vs. private IP's based on whether they're on our
network or not. For me is was an easy decision to make the JSS publicly
available but like all of our other servers, it has a private address and
that's how it actually sees the world.

As far as changing the IP of the server, it's probably just the standard
gotchas of OS X, eg. Check the DNS, then check the DNS, then check the DNS,
then run the changeIP command, then check the DNS.

Thanks,
John

-- John Wetter
Technology Support Administrator
Educational Technology, Media & Information Services
Hopkins Public Schools
952-988-5373

0 Kudos