Distribution Point in DMZ

ndudley
Contributor

I am trying to figure out how to put a distribution point on our DMZ that can talk to the main DP on the LAN. I have looked at all the documentation on setting the JSS up on a DMZ, but it is pretty lacking in information and I must say I am a little confused.

Here is the goal of what I need to accomplish:

-Clients that are managed will be able to download software from Self Service outside of our LAN
-I need to replicate the master DP to the external DP

I am a little confused as to what steps I need to take to get this process started. I am running my current setup (on the LAN) on a 10.8 Mac server and will be running a 10.8 VM server to serve as the external DP. I currently have MySQL and everything else installed on the VM - I was going off of the article about JSS in the DMZ, but now I am stuck and can't seem to get the master to replicate to the VM.

How do I setup a DP that talks to the internal master so clients can download software outside of the LAN?

12 REPLIES 12

talkingmoose
Moderator
Moderator

DMZ servers typically have two network interfaces (NICs). One NIC is connected to the internal LAN and the other is connected to the Internet (with a suitable firewall in place that allows only certain traffic to pass).

So, first question: Does your DMZ distribution point server have two NICs configured?

Second question: Is your JSS accessible both on the LAN and to the Internet? If not, do you have a second JSS in the DMZ for clients reporting from the Internet?

The Certified JSS Administrator course may interest you if you need to set up multiple JSS systems.

daworley
Contributor II

Hi Nichele!

Another option might be something along these lines, leveraging Box.com for a public CasperShare:
http://bryson3gps.wordpress.com/2013/02/06/using-box-as-a-casper-share/

bentoms
Release Candidate Programs Tester

Hi Nichele,

I've done what your attempting except we are using real Mac servers & not VM's.

I'm on holiday for a few more days, I'll try & respond when back.

nessts
Valued Contributor II

i am using a reverse proxy on the external server pointing to the http share on the internal server that way you dont have to have space on the external server and no replication...

ndudley
Contributor

Hi Bentoms-

No pressure, but I wanted to see if you have any updated information that could help me? Thanks!

rderewianko
Valued Contributor II

I'd second the post about using box.com.. Took it one step further since you are using a Actual server, install the box sync tool on it.. And let it auto upload that content to box.com. Just remember to never try and sync to it in casper admin. It won't work.

This takes the strain off your network to supply that content externally..

easyedc
Valued Contributor II

How'd this turn out? I've just gotten my DMZ JSS set (literally today) and am in the process of configuring a DP out there. I am 100% positive our Server team and Security would flip if I suggest a public Box.com account.

ndudley
Contributor

I had to put a hold on it because things got busy, but I am on the same page as you. We don't want to use a Box account to transfer anything, and now I am also looking at adding another DP in Amsterdam and need to get that configured, so I am still at the starting point.

spotter
New Contributor III

@nessts... Could you email more detail around setting up the reverse proxy on the DMZ server.

My setup is as follows - Windows VM Server in the DMZ with limited access and XServe internal.

Currently external clients are checking in but not able to see apps within Self Service.

Thanks in advance.... ::sp

nessts
Valued Contributor II

in my Mac server and my linux server that do the same thing running Apache web server i created a reverse.conf file
you would replace internal server with your real internal server, you have to have 80 and or 443 open between them for that traffic to pass.

ProxyPass /CasperShare http://internalserver/CasperShare
ProxyPassreverse / https://internalserver/
ProxyPassreverse / http://internalserver/

msample
Contributor II

@nessts Can you share the reverse.conf file script? Thanks.

nessts
Valued Contributor II

well. its not a script its a conf file for apache. and the contents of said file are in my last post on 9/5/13