Considering adding a DMZ server

anpender
New Contributor

With a lot more of our workstations soon to be leaving campus for an unknown extended period, we're looking at quickly standing up a server in the DMZ so that we can continue to manage those systems while off campus.

I've got the basic instructions (https://www.jamf.com/jamf-nation/articles/174/installing-a-jamf-pro-web-application-in-the-dmz) and am thinking about the other practical implications/changes needed.

So far I've got:
- Right now our DEP process does not require login, because it only works on campus anyway. Once it works off campus, seems like requiring login would be a good idea.
- The article talks about running policies while off site or not (needing an externally accessible DP). Without the DP am I basically monitoring only? Will policies that don't include a package or script run OK? (Granted, that doesn't leave much, in my setup.)
- How complicated is it to set up an externally accessible DP?

What else should I be thinking about?

8 REPLIES 8

sdagley
Honored Contributor II

@anpender Are you using http, and preferably https, content delivery on your internal DP? For an external DP you really do not want to try and use SMB.

anpender
New Contributor

@sdagley The internal DP does have https turned on, fairly recently. I still have a few packages that refuse to distribute that way for whatever reason and fall back to SMB, but they are the exception and I believe they are all lab-related, so on-campus only. Do people usually set up a 2nd DP for external use, or just make the same internal one available externally by poking holes in the firewall?

sdagley
Honored Contributor II

@anpender It depends on your network security folks. Having a separate DMZ DP does add redundancy however.

For http/https delivery you'll need your .pkg files to be "flat" packages

Hugonaut
Valued Contributor

What kind of Server will host your Distribution point, Windows / Linux ?

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

anpender
New Contributor

@Hugonaut Windows.

Hugonaut
Valued Contributor

@anpender ahhhh darn if it was linux i would be able to provide assistance, i have no experience creating an externally facing HTTPS Jamf dp on windows

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

kerouak
Valued Contributor

to tun any policies externally, you MUST have a distribution point in the DMX (or externally accessible)

jbisgett
Contributor

@Hugonaut We are looking at adding an externally accessible DP for our site as well, for prestage enrollments, as well as enabling our Self-Service policies to work off site. Our environment is clustered, the webapps are Ubuntu virtuals in the dmz, with our certificate on the load balancer.

Would you be able to provide some insight on how to accomplish this?