Help

HTTPS Distribution point

Go to solution
kay-_-
New Contributor III

Posted on ‎05-30-2022 06:18 AM

Hi all,

We've recently deployed Jamf Pro on-premises and made it available on the DMZ. We're planning on having an HTTPS DP available on the DMZ (Apache running on Debian) However, when I try to add the DP to Jamf Pro, it keeps asking me for the SMB Share info and credentials which this distribution point doesn't have. Is there any workaround for this issue? We do have a samba share on the internal network but I can't have an SMB share on the DMZ and even if I could our security team will laugh in my face.

 

Does anyone know how to get around this issue? Cloud Distribution points are not an option for us.

Thanks in advance!

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
jtrant
Valued Contributor

Posted on ‎05-30-2022 11:15 AM

If you are self-hosting the HTTPS distribution point you will need to have SMB (389) open between the computer running Jamf Admin and your HTTPS distribution point. To the best of my knowledge Jamf cannot replicate to the server using any other method. Cloud Distribution Points are different, but you mentioned that's out of the question.

The share itself only talks to external clients over HTTPS (not SMB) so the ports do not need to be open over the internet, just from your internal network to the DMZ host. You could possibly look into scripting a cron job to copy the contents of your master distribution point to the DMZ host but this could introduce problems around file permissions, and Jamf Admin would have no way of knowing what's stored on the DMZ host.

View solution in original post

4 REPLIES 4

Go to solution
jtrant
Valued Contributor

Posted on ‎05-30-2022 11:15 AM

If you are self-hosting the HTTPS distribution point you will need to have SMB (389) open between the computer running Jamf Admin and your HTTPS distribution point. To the best of my knowledge Jamf cannot replicate to the server using any other method. Cloud Distribution Points are different, but you mentioned that's out of the question.

The share itself only talks to external clients over HTTPS (not SMB) so the ports do not need to be open over the internet, just from your internal network to the DMZ host. You could possibly look into scripting a cron job to copy the contents of your master distribution point to the DMZ host but this could introduce problems around file permissions, and Jamf Admin would have no way of knowing what's stored on the DMZ host.

Go to solution
guidotti
Contributor II

Posted on ‎08-26-2022 12:14 PM

I know this is a few months old.

We have been running a DeltaCopy (rsync job) over port 873 from the client (internal Jamf Pro server) to the server (DMZ Jamf Pro server) for some years now. When admins need to upload new packages, they do so on the internal server, and it syncs over at 1 AM or when they manually run the job. That required us to open TCP port 873 between the internal server and the DMZ. I hope that helps.

Go to solution
killer23d
Contributor
In response to guidotti

‎10-19-2022 10:34 AM - edited ‎10-19-2022 10:35 AM

We are able to use the same server as internal and external DP by making the external address inaccessible from internal (URL won't resolve).

We then created 2 DP,  one for internal and one for external. Internal one we fill in the usual info like server address, File Sharing and HTTPS credentials as usual. The external one we fill in the external address in General only. File Sharing and HTTPS are all filled with fake info just to "save" the settings.

When we replicate, we replicate only to the internal one as it is really the same server.

0 Kudos

Go to solution
guidotti
Contributor II
In response to killer23d

Posted on ‎03-15-2023 09:10 AM

Interesting approach!

0 Kudos