External JSS Help

jonnydford
Contributor II

Hey,

Just looking for a bit of advice with a clustered JSS and certificates.

Has anyone else seen the following errors and if so how did you fix them?

Downloading required CA certificate(s)… There was an error. Error enrolling computer: Connection failure: “The request timed out.”

We've created a secondary external JSS with a jss.net hostname and an SSL cert.
Then we have an internal JSS with jss.local and a built in cert.

When we change it to .net on both JSS' then we receive the above error when trying to enrol.

1 ACCEPTED SOLUTION

daz_wallace
Contributor III
Contributor III

Cool, so for the external one, thats pretty much it.

For the internal clients / DNS you've got three choices:

1) Only point internal clients to the internal-only JSS

2) Add both internal IP addresses for both JSS servers into the DNS record and (I believe) the DNS servers should use round-robin to push clients to either JSS.

3) Put an internal Load Balancer between the two JSS servers on the internal DNS to intelligently load balance the connections (this may be overkill for your situation).

The golden rule is that your JSS clients can only talk to a single management URL. No Ifs or Buts. You can do some clever things using the DNS (possibly using CNAMEs) but this is the golden rule.

Good luck!

Darren

View solution in original post

7 REPLIES 7

daz_wallace
Contributor III
Contributor III

Hi @jonnydford

It looks like you're already doing it but both JSS' will need to respond to the same DNS name to work.

Once these are on the same hostname, you'll also need to change the Management URL in "Management settings" > "Global Management" > "JSS URL".

Finally, you'll also need to regenerate the SSL cert for each server in "Management settings" > "System Settings" > "Apache Tomcat Settings" > "Edit" Button

Once complete, this should work. You will likely need to recreate your quick add packages to use the new URL.

Hope that helps!

Darren

jonnydford
Contributor II

Thanks a lot, Daz.

Just to clarify, should I then set the DNS to have two DNS A records for jss.net:

jss.net > IP address of internal (.local) JSS 

jss.net > internal IP address of external (.net) JSS

daz_wallace
Contributor III
Contributor III

The DNS name you choose will need to be externally resolvable, probably something like "jss.[yourdomain].net" and then you'll need to do something called split DNS.

On your internal DNS, "jss.[yourdomain].net" should resolve to your .local JSS IP address. On your external (Public-facing) DNS, "jss.[yourdomain].net" should resolve to your external IP Address of your external JSS.

Hang on, is both of your clustered Tomcat servers internal only, or externally facing?

Darren

jonnydford
Contributor II

Ahh, I get you.

One is internal facing only, and the other is both internal and external facing.

daz_wallace
Contributor III
Contributor III

Cool, so for the external one, thats pretty much it.

For the internal clients / DNS you've got three choices:

1) Only point internal clients to the internal-only JSS

2) Add both internal IP addresses for both JSS servers into the DNS record and (I believe) the DNS servers should use round-robin to push clients to either JSS.

3) Put an internal Load Balancer between the two JSS servers on the internal DNS to intelligently load balance the connections (this may be overkill for your situation).

The golden rule is that your JSS clients can only talk to a single management URL. No Ifs or Buts. You can do some clever things using the DNS (possibly using CNAMEs) but this is the golden rule.

Good luck!

Darren

View solution in original post

jonnydford
Contributor II

Thanks a lot for your help @daz_dar

daz_wallace
Contributor III
Contributor III

No problem!