Infrastructure Manager/LDAP Proxy

PhillyPhoto
Contributor III

I'm trying to get the LDAP proxy working on my new cloud instance, but I'm running into a wall. I have my firewall configured to go to https://mycloud.jamfcloud.com on ports 80, 8443, 443, 8389, 8636. I was able to enroll my server and can see it successfully checking in when I go to the settings.

I then configured an LDAP server to use the IM proxy. When I go to test, it fails after about 15 seconds. I followed this guide. One thing that sticks out from that guide to me however is the following:

The Active Directory Server will send its response back to the Jamf Infrastructure Manager Server on a randomly generated port. The Jamf Infrastructure Manager Server will send the reply back to the Jamf Cloud Server over a randomly-generated port as well.

How can we configure firewall rules when it communicates on a random port?

I also followed the advice from this thread on adding the internal IP address to the hosts file. That hasn't made a difference.

Our firewall is very locked down, and it only accepts inbound connections from the Jamf cloud IP range, so I can't test external connectivity easily.

11 REPLIES 11

hdsreid
Contributor III

is the server windows or linux? if linux, you can probably skip the following as it pertains to windows.......
my issue ended up being that my JIM could check in to cloud but it could not do any ldap operations. I had to manually allow an exception in Windows Firewall for it and it has been working ever since. may be worth a try....
I know you mentioned it already, but the hostname issues can be problematic depending on your network. does your JIM show an internal or external IP on the server side settings? It should show an internal IP on Jamf, if it is showing external, that is a red flag.

does your JIM have a public domain name? for example, jamf.mycompany.com for JIM and the cloud is mycompany.jamfcloud.com. if you're just doing it by IP, i do not think it will work

Finally, are you trying to do LDAP or LDAPS? If LDAPS, make sure your cert CN is the same name as the FQDN of the AD server and it comes from the root CA of your domain

PhillyPhoto
Contributor III
  • This is running on Windows Server 2016.
  • The server itself has a different name than the DNS name (i.e. server is "server12345.company.com", DNS name "jim.company.com"). This shouldn't be an issue if the DNS is setup correctly, I believe.
  • It is showing the internal IP address in the JSS.
  • We have an external facing DNS entry ("jim.company.com") that goes to our F5 load balancer, and is forwarded to the server. I did an nslookup on it on our network and it's returning the external F5 IP addresses, so I'm seeing if we need to have the internal DNS server updated.
  • I'll look into getting a firewall rule for the internal connection to the AD server as well.
  • I'm just trying LDAP for now, I haven't gotten into LDAPS yet.

hdsreid
Contributor III

hey @PhillyPhoto did you ever get this working? Re-reading your post, it sounds like you have the firewall rules for tenant.jamfcloud.com, but you need to add the specific IPs for the CDN: https://www.jamf.com/jamf-nation/articles/409/permitting-inbound-outbound-traffic-with-jamf-cloud

PhillyPhoto
Contributor III

This is the info I used to have our firewall configured:

Outbound traffic:
Source {External facing IP addresses}
Destination https://cloudtenant.jamfcloud.com {cloud IPs}
Service 80, 8443, 443, 8389, 8636 / HTTPS, LDAP, LDAPS

Inbound traffic:
Source 54.208.14.206 54.208.84.215 52.1.62.94 52.1.215.211 52.203.216.218 34.233.253.88 34.234.26.211 52.72.152.43 52.39.2.203 52.39.4.253
Destination {External facing IP addresses}
Service 80, 8443, 443, 8389, 8636 / HTTPS, LDAP, LDAPS

hdsreid
Contributor III

on Windows Server, have you checked any of the log files?
mine are located at C:Program FilesJamfInfrastructure Managerlogsjamf-im.txt

I had quite a few different errors in there to go off of to resolve the issues I was having when configuring the ldap proxy. It is possible that while the JIM itself is functioning and can check in, the LDAP proxy might not even be running.

PhillyPhoto
Contributor III

It just has this over and over:

2019-08-12 11:11:57,838 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Initiating checkin to JSS
2019-08-12 11:11:57,901 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Checkin complete, next checkin in [30] seconds
2019-08-12 11:12:27,921 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Initiating checkin to JSS
2019-08-12 11:12:27,983 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Checkin complete, next checkin in [30] seconds
2019-08-12 11:12:58,003 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Initiating checkin to JSS
2019-08-12 11:12:58,065 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Checkin complete, next checkin in [30] seconds
2019-08-12 11:13:28,085 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Initiating checkin to JSS
2019-08-12 11:13:28,148 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Checkin complete, next checkin in [30] seconds
2019-08-12 11:13:58,158 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Initiating checkin to JSS
2019-08-12 11:13:58,251 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Checkin complete, next checkin in [30] seconds
2019-08-12 11:14:28,263 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Initiating checkin to JSS
2019-08-12 11:14:28,326 INFO c.j.j.c.j.JssCheckinManager [pool-3-thread-3] Checkin complete, next checkin in [30] seconds

hdsreid
Contributor III

so it seems like the LDAP proxy isn't even running....

what happens if you open IE on the server itself and browse to "jim.company.com:$PORT"? does it connect to itself? do you get any logs then?

PhillyPhoto
Contributor III

It just says the page can't be found when I try to connect in IE. I don't see any logs created or updated beyond what's above.

PhillyPhoto
Contributor III

It looks like it may be an issue with the tenet IP addresses. Today they're different from when I submitted the firewall request for them, so I'm seeing if I can get the range they use to open it to that instead.

hdsreid
Contributor III

@PhillyPhoto if you do not get logs even when browsing locally, it sounds like your proxy isn't working correctly.

i have mine running on https, so i put in https://publiclyresolvable.name.com:8389. i get a cert warning when first connecting, and then i get the "this page can't be displayed". btw, do you resolve the AD server in your hosts file, or just the publicly resolvable name? my hosts file is

internal ip public DNS name
internal ip AD server DNS name

PhillyPhoto
Contributor III

@hdsreid I get the same error when trying to connect to my JIM. I also tried adding the IP of my AD server to my hosts file as well and it made no difference. I already had the server IP and DNS name in it.