Changing Port from 8443 to 443 on-prem hosted

Matt_Roy93
Contributor

Changing Port from 8443 to 443 on-prem hosted Windows Server clustered JSS environment running 10.41, we have been asked to make a change to the host port and currently have many devices enrolled, is there a way to preserve or re-enroll devices with a new MDM URL with minimal impact or this just wishful thinking?

9 REPLIES 9

AJPinto
Honored Contributor III

Yuck. I dont see this ending well. I have a feeling you will need to reprovision your feet if you want to change your URL. DNS Shenanigans may work, but that kinda defeats the purpose.

 

Just for my own curiosity. Why are you being asked to change from 8443 to 443? Tomcat uses 8443 specifically to avoid conflicts. Personally I wish JAMF would move off Tomcat as its freeware and support is horrible when things get deep, but it is what it is.

Matt_Roy93
Contributor

I got blindsided by this request, the reason is related to our web firewall not supporting 8443 due to its cloud nature once migrated... Basically all signs point towards re-enrollment of thousands of devices which is not ideal, it appears in our lower environment for external access to work over our DMZ server I had to change the actual URL in JSS Settings and restart Tomcat.  I have a request out to Jamf to see what is possible here I would assume when customers migrate from on-prem to cloud that would involve a URL change do they really ask customers to re-enroll all devices? Just trying to minimize impact.

AJPinto
Honored Contributor III

to reiterate, yikes :).

When you migrate JAMF Servers from what i understand JAMF has you do stuff on the DNS side to make the Macs think they are talking to the same server. I have discussed the migration to JAMF Cloud a time or two but not actually done it, and that is what I remember from the calls. With any luck we will move to JAMF Cloud this year, but we will see. 

 

Please update with your findings :).

 

dlondon
Valued Contributor

When migrating to cloud you don't need to change the URL.  We kept ours.  The DNS entry has to change to wherever the Jamf Migration Engineer tells you to point it.  There is a little bit of work to allow the certificate for the https to be created by them as they aren't the owners of the domain but Jamf has done this a lot so are quite competent at getting that done.

By doing it this way you don't have to re-enroll.

The downside of doing it this way is you take across any baggage you had in the server.  If you re-enroll, you can make a completely new server

Matt_Roy93
Contributor

Thanks! I will keep this updated when I find out more.

Phantom5
Contributor II

Maybe you could do some reverse proxying or use your firewall to redirect 443 to 8443 internally. We manage several Jamf Pro servers and in some cases we have set up a reverse proxy in front of the JSS, in other cases, we went with a firewall redirecting.

Matt_Roy93
Contributor

This is something we are actively exploring thank you for that information, are you experiencing any limitations to external traffic when this is configured to redirect or reverse proxy?

Phantom5
Contributor II

Nope, not at all. Actually our policy is to mess the least possible with JSS. Most of the changes will end up being overwritten after an upgrade.

Matt_Roy93
Contributor

Nice that makes sense, thanks for the info