Help

Considering adding a DMZ server

anpender
New Contributor

Posted on β€Ž03-12-2020 07:21 AM

With a lot more of our workstations soon to be leaving campus for an unknown extended period, we're looking at quickly standing up a server in the DMZ so that we can continue to manage those systems while off campus.

I've got the basic instructions (https://www.jamf.com/jamf-nation/articles/174/installing-a-jamf-pro-web-application-in-the-dmz) and am thinking about the other practical implications/changes needed.

So far I've got:
- Right now our DEP process does not require login, because it only works on campus anyway. Once it works off campus, seems like requiring login would be a good idea.
- The article talks about running policies while off site or not (needing an externally accessible DP). Without the DP am I basically monitoring only? Will policies that don't include a package or script run OK? (Granted, that doesn't leave much, in my setup.)
- How complicated is it to set up an externally accessible DP?

What else should I be thinking about?

Labels:
0 Kudos
8 REPLIES 8

sdagley
Honored Contributor II

Posted on β€Ž03-12-2020 07:48 AM

@anpender Are you using http, and preferably https, content delivery on your internal DP? For an external DP you really do not want to try and use SMB.

0 Kudos

anpender
New Contributor

Posted on β€Ž03-12-2020 07:51 AM

@sdagley The internal DP does have https turned on, fairly recently. I still have a few packages that refuse to distribute that way for whatever reason and fall back to SMB, but they are the exception and I believe they are all lab-related, so on-campus only. Do people usually set up a 2nd DP for external use, or just make the same internal one available externally by poking holes in the firewall?

0 Kudos

sdagley
Honored Contributor II

Posted on β€Ž03-12-2020 07:58 AM

@anpender It depends on your network security folks. Having a separate DMZ DP does add redundancy however.

For http/https delivery you'll need your .pkg files to be "flat" packages

0 Kudos

Hugonaut
Valued Contributor

Posted on β€Ž03-12-2020 09:40 AM

What kind of Server will host your Distribution point, Windows / Linux ?

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
0 Kudos

anpender
New Contributor

Posted on β€Ž03-12-2020 09:44 AM

@Hugonaut Windows.

0 Kudos

Hugonaut
Valued Contributor

Posted on β€Ž03-12-2020 10:19 AM

@anpender ahhhh darn if it was linux i would be able to provide assistance, i have no experience creating an externally facing HTTPS Jamf dp on windows

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
0 Kudos

kerouak
Valued Contributor

Posted on β€Ž03-13-2020 02:08 AM

to tun any policies externally, you MUST have a distribution point in the DMX (or externally accessible)

0 Kudos

jbisgett
Contributor

Posted on β€Ž05-19-2020 06:51 PM

@Hugonaut We are looking at adding an externally accessible DP for our site as well, for prestage enrollments, as well as enabling our Self-Service policies to work off site. Our environment is clustered, the webapps are Ubuntu virtuals in the dmz, with our certificate on the load balancer.

Would you be able to provide some insight on how to accomplish this?

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.