DMZ Server with distribution point - DP needs publicly accessible hostname?

grahamfw
New Contributor III

We have a Master JSS on a Mac and a DMZ webapp that has its own DP. We use split DNS to determine which JSS you hit based on your connection.

Is it necessary to create a separate publicly available A record for the distribution point as well? In the JSS, we have configured it to use the LAN IP/hostname, but when a connection comes though the DMZ webapp, it links the LAN IP/host URL, which will fail for all external clients.

I've been getting by by using the split DNS hostname for our DMZ distribution point in the JSS settings (so the connecting agent simply connects to the DP at splitdnsjss.company.com name) but that fails me when I attempt to run replication in Casper Admin.

What are you guys doing for this in your environments?

Graham

4 REPLIES 4

davidacland
Honored Contributor II

We generally don't relate DPs to tomcat servers. So for the tomcat side, we have the overall DNS name like "casper.company.com". Each tomcat server then gets its own A record like "tomcat1.company.com" and "tomcat2.company.com". "casper.company.com" is then just a CName that points to the relevant server, depending on whether you are internal or external.

When it comes to the DPs we normally want to point the clients to their fastest or closest one, so each server gets its own A record and we add that to the JSS. Some are internal only, but for the external DPs, whatever hostname or IP you put into the JSS, needs to be resolvable and reachable by the client.

In the case of replication, you just need to make sure that the machine initiating the connection can resolve the name of the other DP and reach it on the relevant port, otherwise it will fail. FWIW, I prefer to use custom rsync scripts for DP replication as it is more schedulable, you can use size and file type filters and a few other reasons.

Not sure if thats any help?

jhbush
Valued Contributor II

@grahamfw we do essentially what @davidacland does as well. The scheduled rsync or robocopy for Windows folks is the better choice over manual syncing. Below is sample of a syncing script that could be used with a launch agent.

#!/bin/bash

# This script will sync JAMF CasperShare servers

USER="administrator"
HOSTS=(your.host.here) #Target Host Names
DST="/Users/Shared/CasperShare/" #Target directory -- CasperShare
SOURCE_DIR="/Users/Shared/CasperShare/" #Source directory from CasperShare
STATUS="/logs/datasync.status"
TODAY=$(date)

for i in "${HOSTS[@]}"; do

echo "===== Beginning rsync of $i  Date: $TODAY =====" >> $STATUS

nice -n 20 /usr/bin/rsync -ahv -e ssh --delete --progress --stats "$SOURCE_DIR" "$USER@$i:$DST"

if [ $? = "1" ]; then
echo "FAILURE : rsync failed." >> $STATUS
exit 1
fi

echo "===== Completed rsync of $i Date: $TODAY =====" >> $STATUS;
done

echo "SUCCESS : rsync completed successfully" >> $STATUS```

grahamfw
New Contributor III

Thanks guys. I'm more perplexed how this was working for connecting clients previously, since I think we've always had the local IP/host of the DP configured in the JSS.

I'll look into utilizing a script for syncing CasperShare and create a publicly available A record for our DMZ DP.

Graham

rderewianko
Valued Contributor II

I created this diagram explaining the basics.
the flow