Help

Considering adding a DMZ server

anpender
New Contributor

Posted on ‎03-12-2020 07:21 AM

With a lot more of our workstations soon to be leaving campus for an unknown extended period, we're looking at quickly standing up a server in the DMZ so that we can continue to manage those systems while off campus.

I've got the basic instructions (https://www.jamf.com/jamf-nation/articles/174/installing-a-jamf-pro-web-application-in-the-dmz) and am thinking about the other practical implications/changes needed.

So far I've got:
- Right now our DEP process does not require login, because it only works on campus anyway. Once it works off campus, seems like requiring login would be a good idea.
- The article talks about running policies while off site or not (needing an externally accessible DP). Without the DP am I basically monitoring only? Will policies that don't include a package or script run OK? (Granted, that doesn't leave much, in my setup.)
- How complicated is it to set up an externally accessible DP?

What else should I be thinking about?

Labels:
0 Kudos
Reply
8 REPLIES 8

sdagley
Esteemed Contributor II

Posted on ‎03-12-2020 07:48 AM

@anpender Are you using http, and preferably https, content delivery on your internal DP? For an external DP you really do not want to try and use SMB.

0 Kudos
Reply

anpender
New Contributor

Posted on ‎03-12-2020 07:51 AM

@sdagley The internal DP does have https turned on, fairly recently. I still have a few packages that refuse to distribute that way for whatever reason and fall back to SMB, but they are the exception and I believe they are all lab-related, so on-campus only. Do people usually set up a 2nd DP for external use, or just make the same internal one available externally by poking holes in the firewall?

0 Kudos
Reply

sdagley
Esteemed Contributor II

Posted on ‎03-12-2020 07:58 AM

@anpender It depends on your network security folks. Having a separate DMZ DP does add redundancy however.

For http/https delivery you'll need your .pkg files to be "flat" packages

0 Kudos
Reply

Hugonaut
Valued Contributor II

Posted on ‎03-12-2020 09:40 AM

What kind of Server will host your Distribution point, Windows / Linux ?

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
0 Kudos
Reply

anpender
New Contributor

Posted on ‎03-12-2020 09:44 AM

@Hugonaut Windows.

0 Kudos
Reply

Hugonaut
Valued Contributor II

Posted on ‎03-12-2020 10:19 AM

@anpender ahhhh darn if it was linux i would be able to provide assistance, i have no experience creating an externally facing HTTPS Jamf dp on windows

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month
0 Kudos
Reply

kerouak
Valued Contributor

Posted on ‎03-13-2020 02:08 AM

to tun any policies externally, you MUST have a distribution point in the DMX (or externally accessible)

0 Kudos
Reply

jbisgett
Contributor II

Posted on ‎05-19-2020 06:51 PM

@Hugonaut We are looking at adding an externally accessible DP for our site as well, for prestage enrollments, as well as enabling our Self-Service policies to work off site. Our environment is clustered, the webapps are Ubuntu virtuals in the dmz, with our certificate on the load balancer.

Would you be able to provide some insight on how to accomplish this?

0 Kudos
Reply