Connect LDAP with Jamf Cloud

jpilege
New Contributor III

I'm not sure how to put this or explain it, but going to try my best.

We moved over from an on-premise server for JAMF Pro to the Cloud. We wanted to connect LDAP with the JSS to provide the option with authenticating to Macs through the DEP process. We installed JIM (JAMF Infrastructure Server) on a DMZ server. The DMZ is NAT'd behind an external IP and according to some documentation, NAT isn't supported.

We still have our on-premise server that I use to move devices from the Cloud server to that server on the DEP portal for Apple. Once I move it, I can use the old server to authenticate and then move it over to the Cloud. This works, but wanted to get it working with the Cloud and outside our network. Other than this, everything seems to be working.

I wanted to see if what the popular setup was to get this working.

Let me know if there's any questions or any more information is needed.

Thanks!

10 REPLIES 10

wmateo
Contributor

@jpilege how did you get this working? I am going through same now

jwojda
Valued Contributor II

Have you looked into this? I believe that's what Jamf Infrastructure manager is for.

A Jamf Infrastructure Manager instance is a service that is managed by the Jamf Software Server (JSS). It can be used to host the following: LDAP Proxy—This allows traffic to pass securely between a JSS and an LDAP directory service. The Infrastructure Manager and the LDAP Proxy typically reside within the DMZ. The LDAP Proxy requires integration with an LDAP directory service. For more information, see the LDAP Proxy section in the Casper Suite Administrator’s Guide. Healthcare Listener—This allows traffic to pass securely from a healthcare management system to a JSS. For more information, see the Healthcare Listener section in the Casper Suite Administrator’s Guide. When you install an instance of the Infrastructure Manager, the JSS allows you to enable the LDAP Proxy or the Healthcare Listener. Infrastructure Manager instances can be installed on Linux and Windows. For more information, see Installing a Jamf Infrastructure Manager Instance.

jpilege
New Contributor III

@wmateo I didn't get anything to work. I tried to work with my Security and Networking teams, but didn't get far due to other projects. I ended up no requiring authentication. This way the employee continues to Wifi, selects Wifi, then continue on Profile prompt and adds their user account. After that JAMF installs all required software and it's done. Then the long process of setting up accounts for email, instant messaging and other apps that they need for their job, but more time consuming than hard. haha

I'd love to connect though and see what you have done and maybe it's something we've tried or haven't tried. Would be curious to see if we can get this working as it provides another level of security say the computer is lost or stolen. No one will be able to log in to use the device even after wiping it.

jpilege
New Contributor III

@jwojda We do have JIM installed, but at the time of this post NAT wasn't supported to bypass from the cloud to our AD servers through the DMZ. I'm not a big networking guy so I don't know the details on this, but from my understanding with our rep and my team, it won't work for us until NAT becomes supported.

wmateo
Contributor

@jpilege Yeah for sure! I am still in the process of figuring out all the networking moving parts with my security team.

jcline
New Contributor III

You just have to make sure your server has either a hostname or a public ip address. You can have your security team either open up only certain ports or like the state dept of ed did here, only allow connections from jamf's range. After that, you should be able to connect to it.

You'll want to have it set up with ldaps for security reasons though.

jpilege
New Contributor III

@jcline Yeah, that's what my Security team doesn't want to do. They want to NAT the connect through vs having a public IP or hostname for it. That was a solution or suggestion from JAMF to try and see if that works, but was denied on our side. :(

talkingmoose
Moderator
Moderator

Jamf Infrastructure Manager (JIM) is a reverse proxy server. It's written in a way that most setups require the server to be able to resolve a public DNS name to the private IP address of the server itself. A DNS or hosts file entry generally gets it working. This lets the software bind correctly to the network port and start up.

Then ensure your external firewall allows traffic from the published list of Jamf Cloud IP addresses on the appropriate port (8389 by default). And ensure the JIM server can access Active Directory internally on port 389 (LDAP) or 636 (LDAPS). If using 636 internally, you'll want to upload the root CA certificate that signed Active Directory's SSL to the LDAP server connection in Jamf Pro.

These are basic instructions and won't necessarily cover every scenario.

Speak first with your network administrators and ask if they have something already in place that can act as a reverse proxy such as an F5 load balancer, Palo Alto or Aruba device. You're not required to use JIM to make this work. And you're more likely to get buy-in from them for something they control.

spalmer
Contributor III

@talkingmoose we were just about to start going down the path of setting up the Jamf Infrastructure Manager, so this is interesting to learn as we have had an F5 appliance for quite a few years. Do you, or anyone else reading this, have documentation for setting this up on both sides (Jamf Pro and F5) that you could share? We can probably work with our network team to figure this out, but anything to give us a head start would be greatly appreciated.

talkingmoose
Moderator
Moderator

@spalmer, Jamf can't support load balancers. That'll need to be done by your network administrators. The only information they'll need to know is that they need to configure a reverse proxy to allow traffic from your Jamf Cloud instance to an internal domain controller or a network that will allow you to resolve your directory service's domain name and find the nearest LDAP server.

Information for configuring Jamf Infrastructure Manager is here:

https://docs.jamf.com/infrastructure-manager/1.3.2/Jamf_Infrastructure_Manager_Overview.html

When that's complete, you'll configure your directory service the LDAP proxy in Jamf Pro:

https://docs.jamf.com/10.15.0/jamf-pro/administrator-guide/LDAP_Proxy.html