Posted on 01-19-2018 12:57 PM
So i am having a bit fun in Planning out a new jamf environment. The plan was to have two external limited access servers and two internal w/GUI servers. And having a Split DNS cover the logic of internal vs external..
Come to find out that is not an option here, and the team that runs the f5 is not sure if the logic can be done in the loadbalancer level.
I was curious if anyone had any suggestions or ideas that i can take to the Networking team. i know its kinda hard without knowing the environment, but any bit helps.
Posted on 01-19-2018 04:17 PM
It is possible to use F5 and have the design you outline. It is not easy though and will take a lot to consider. It also depends on how many F5's you have and the expertise of your network teams. a. Split Brain DNS: Your DNS has to be setup so the internal folks can never see the external and vice versa. b. Load Balancers: It sounds like you are going to setup multiple servers, which means load balancing. You will need to setup the Jamf server to understand you are using load balancers. This is done in the JSS GUI. c. SSL Offloading: You have to be careful about how you setup the F5. A lot of times, the F5 uses a form of SNAT and attaches a port number to the network traffic so when the traffic returns to it, the load balancer will see the port number and return it to the sender. However, the JSS will send it back to the load balancer with the load balancer as the return address. The load balancer will drop the packet because the port information was removed. To solve this, you have to place the SSL certificate for the JSS server on the F5 and have the F5 decrypt the packet and insert an X-Forward-For into the network packet. Conversely, on the JAMF server, you have to enable X-Forward For. I recommend setting up the F5 to decrypt and then encrypt the traffic to the Jamf server. But be careful, this will mean additional resource consumption on the F5s. d. Certificate: If you are using SSL offloading, to avoid issues, get an external certificate (Entrust for example) for the JSS server. Most clients have the proper root and issuing certificates to resolve and solves any issues with external clients accessing the server. I would recommend external certificates in general when you have internal and external clients to avoid issues with certificates. So: Split Brain DNS, VIP address for servers, get the URL published external and internally, load balancer servers based on VIP address, SSL Offloading if F5 alters network packet for direction.
Posted on 01-22-2018 06:05 AM
Thank you for all the info @henryxyz !! You gave me plenty to research and hopefully get an option that i can send to the networking team here.
Do you use Split DNS, f5s, both, or let jamf host it?