Posted on 06-02-2016 04:43 PM
Hi all!
We recently acquired the Casper suite and have decided to make internet based client management available for all our users. Currently, only users on the network or connected to the VPN are able to connect.
I have contacted support and they are doing some research, but thought maybe some in the community have done this before.
We will point everything to casper.domainname.com and regardless of internal or external, you will hit this management/distro point. This means we need to have everything as locked down as possible.
The server we have setup is a windows 2012 R2 server. Ideally we would have this behind an F5 Big-IP load balancer. This would remove the need to poke holes and expose to the machine through the firewall. We already have a wildcart cert from Entrust that we can use.
A few questions:
1) How do we change the cert from self-signed to use the 3rd party? Would this require changing the clients and how big of a hassle is it?
2) Right now, there is no real authentication that happens -- this seems to be a security issue, yeah?
3) I've found a few people have talked about using an F5 load balance by googling this information, so it's clearly been done before. How does the load balancer work in regards to casper and certs.
4) If you have done the process, have you had any security issues with doing this?
Posted on 06-02-2016 05:37 PM
1.) Assuming url is still the same you just go into Tomcat settings on the JSS and change the SSL cert. It will have you upload through the web interface. Then you just restart Tomcat and wala, new cert is used.
2.) What part are you referring to? Self Service or the jamf binary that runs on the machine? Self Service you can require auth and for the jamf binary you can force the clients to only connect to the JSS if the JSS has a valid trusted cert which only the valid server should have access to.
3.) as far as load balancer and certs you can have the load balancer handle the ssl termination and talk to The JSS over the non-ssl http port, or the opposite where the load balancer is a dumb pass through and the ssl termination happens on the JSS. In real load balancing scenarios with multiple servers behind the load balancer most setups I have seen do the former setup with ssl handled on the balancer. Just don't run the ssl cert on both the JSS and the load balancer even if it's the same cert or you will have weird issues that only happen in certain scenario is like DEP.
4.) on our f5 for our external facing JSS we treat the f5 as a dumb pass through and terminate ssl at the JSS
Posted on 06-02-2016 06:36 PM
Please have look here as well:
https://jamfnation.jamfsoftware.com/discussion.html?id=11409#responseChild65453