Enabling Self Service use over external network

New Contributor III

How exactly do I go about this.

We currently have a single distribution point setup, which functions over SMB. And users off the network cannot access any packages. If they try to download through SS the install will hang and fail, and then in the logs I see 'Could not mount distribution point', if I enable HTTP/S on the distribution point, I get 'could not connect to HTTP server'.

Our uses have to be connected to our internal network for anything other than minor scripts and configuration profile changes to work - anything that requires downloading packages fails 100% of the time

What do I need to do to fix this, step by step? I am sure it requires server modification - I would like to avoid building a second JSS inside the a DMZ, as I am not sure this should be totally necessary...

I am running my JSS on Windows Server2016,

Any help greatly appreciated as I am at my wits end!



Hey @Backoffice

The usual way of achieving this is to cluster your JSS and have a webapp in the DMZ served by an externally accessible DP.

If this is not what you want to do, then the other way I can think of is to use a load balancer to direct internal / external traffic accordingly. The webapp serving external clients should have the JSS interface disabled.

For the DP, you can either use a cloud service (AWS/Rackspace/Akamai are natively supported in Jamf Pro if you don't want to overcomplicate things) or have an externally available (again via the load balancer) HTTPS DP.

Finally, you could host everything in the Cloud or go with the JamfCloud hosted option?

Hope this gives you some ideas

New Contributor III

If your machines can still talk to your JSS while they are outside your network and are failing to mount the server share I'd suggest using AWS for a distribution point. It's very simple and once you have the access keys generated and entered it basically sets itself up. You can use Casper Admin to replicate from your internal share to your cloud share whenever you add packages. Also, if you're using network segments you can change the default distribution point based on IP range.

Agree that if your machines can't hit the JSS from outside your network the correct way to go is a limited access JSS in the DMZ.

@rtrouton Has an excellent step-by-step guide to setting up an AWS distribution point. Do the extra step and use the CloudFront signed URLs so your packages can't be scraped. Every step has a screenshot. Linked below. I used this guide for our 9.101 JSS a few days ago.