External Access to JSS

dalley
New Contributor

Hi All,

I am looking to make our JSS instance available to external devices. I have read https://jamfnation.jamfsoftware.com/article.html?id=174. I am wondering if this is the only option or is it possible to make the JSS available to external devices via a reverse proxy such as an F5 gateway? I am ok if a JSS instance in the DMZ is the way to go, but just thinking if there is another way to do it without an additional server.

My initial thinking is that if the external devices only need to talk to the JSS server on port 8443 & port 80/443 to the distribution point (we have JSS & DP on the same server), would it be possible to create a virtual server on the F5 that the external devices connect to and then simply forwards requests on these ports to the internal JSS server rather than having to build and install JSS on a dedicated server in our DMZ?

Has anyone tried this before? My only concern would be the security side of it and essentially allowing devices to connect all the way through to an internal server on port 80/443/8443.

I have also raised a support call with JAMF Support just to get their feedback on it, but thought I would also ask the question here.

Thoughts?

Cheers
Dave

5 REPLIES 5

chriscollins
Valued Contributor

It's best security-wise to put a second server in DMZ. Otherwise you are making your admin login page available to the outside world.

dalley
New Contributor

Thanks Chris,

That is a good point. I did also just get a response from JAMF Support stating that yes it is possible and they do have some customers using a reverse proxy in this way along with some that just use port forwarding. They did also mention that the DMZ is the most secure option for the same reason you pointed out, but is not that critical if you have strong usr/pwd.

I will have some discussions with a few colleagues and work out what will be best for us and how security conscious we want/need to be.

calumhunter
Valued Contributor

even if you have a strong user/pass you are open to brute force attacks as I don't believe there is not any rate limiting on the logins to the jss.

do it right, do it once - spin up a new VM and add a jss app server to the dmz

my 2c :)

davidacland
Honored Contributor II

I would go for the limited access JSS in the DMZ personally. It's well documented and follows a more "normal" and hopefully therefore more supported setup.

franton
Valued Contributor III

Limited access DMZ is the way to go. @andrewseago has a good video on JSS architecture here https://www.youtube.com/watch?v=IajeO8NGTjw