Skip to main content
Question

Considering adding a DMZ server


Forum|alt.badge.img+4

With a lot more of our workstations soon to be leaving campus for an unknown extended period, we're looking at quickly standing up a server in the DMZ so that we can continue to manage those systems while off campus.

I've got the basic instructions (https://www.jamf.com/jamf-nation/articles/174/installing-a-jamf-pro-web-application-in-the-dmz) and am thinking about the other practical implications/changes needed.

So far I've got:
- Right now our DEP process does not require login, because it only works on campus anyway. Once it works off campus, seems like requiring login would be a good idea.
- The article talks about running policies while off site or not (needing an externally accessible DP). Without the DP am I basically monitoring only? Will policies that don't include a package or script run OK? (Granted, that doesn't leave much, in my setup.)
- How complicated is it to set up an externally accessible DP?

What else should I be thinking about?

8 replies

sdagley
Forum|alt.badge.img+25
  • Jamf Heroes
  • 3540 replies
  • March 12, 2020

@anpender Are you using http, and preferably https, content delivery on your internal DP? For an external DP you really do not want to try and use SMB.


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 11 replies
  • March 12, 2020

@sdagley The internal DP does have https turned on, fairly recently. I still have a few packages that refuse to distribute that way for whatever reason and fall back to SMB, but they are the exception and I believe they are all lab-related, so on-campus only. Do people usually set up a 2nd DP for external use, or just make the same internal one available externally by poking holes in the firewall?


sdagley
Forum|alt.badge.img+25
  • Jamf Heroes
  • 3540 replies
  • March 12, 2020

@anpender It depends on your network security folks. Having a separate DMZ DP does add redundancy however.

For http/https delivery you'll need your .pkg files to be "flat" packages


Hugonaut
Forum|alt.badge.img+15
  • Esteemed Contributor
  • 574 replies
  • March 12, 2020

What kind of Server will host your Distribution point, Windows / Linux ?


Forum|alt.badge.img+4
  • Author
  • Contributor
  • 11 replies
  • March 12, 2020

@Hugonaut Windows.


Hugonaut
Forum|alt.badge.img+15
  • Esteemed Contributor
  • 574 replies
  • March 12, 2020

@anpender ahhhh darn if it was linux i would be able to provide assistance, i have no experience creating an externally facing HTTPS Jamf dp on windows


Forum|alt.badge.img+13
  • Valued Contributor
  • 389 replies
  • March 13, 2020

to tun any policies externally, you MUST have a distribution point in the DMX (or externally accessible)


jbisgett
Forum|alt.badge.img+12
  • Honored Contributor
  • 107 replies
  • May 20, 2020

@Hugonaut We are looking at adding an externally accessible DP for our site as well, for prestage enrollments, as well as enabling our Self-Service policies to work off site. Our environment is clustered, the webapps are Ubuntu virtuals in the dmz, with our certificate on the load balancer.

Would you be able to provide some insight on how to accomplish this?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings