Posted on 11-08-2013 04:21 PM
Okay...so we are starting our second week with Casper Suite and during this process we provided our network diagram of what we wanted to do and was told it would all work. Well....not so much.
So here's a question for all of you on one of the "hiccups" we are experiencing.
We have 3 JDS's with obviously 1 root (A) and both children (B & C) talking directly to A. We have B & C in a DNS Round Robin which works great, we haven't had any issues with that, but our idea was that A would not serve any clients except as a NetBoot server, but wouldn't actually serve packages. A is really more of a backup repository I guess.
So the question is.... Is there anyway to "block" clients from trying to get packages from JDS A? We only want the clients to get packages from JDS's B & C which are in a round robin (jds.company.com).
I did see that we can use network segments to setup default JDS's that would trickle down to the computer, but we have 60 network segments....also, that wouldn't really solve our problem for our external users. We will be turning up a JSS and JDS in our DMZ in the next couple months and they are set to use the same URL's as internal (ie. jss.company.com & jds.company.com) obviously with just he IP's changed on the external DNS records to go to the DMZ versus internal network.
The whole idea behind this is all the clients would always look for "jss.company.com" for the JSS and "jds.company.com" for the distribution point and whether they are internal or external, they would find it and just use the DNS records to keep traffic internal and external traffic in the DMZ.
Thoughts? Ideas? Hoping somebody has already come across this...
Thank you,
Josh
Solved! Go to Solution.
Posted on 11-11-2013 01:24 PM
@Roskos, network segments work with the most limiting applying 1st.
So for DMZ, create a segment like 1.1.1.1 - 255.255.255.255.
So if a client is in 10.0.0.0 - 10.1.0.0 it will use the 10.x's network segments resources.
BUT, I think this is broken in 9.2.
Check with support 1st.
Posted on 11-12-2013 01:35 PM
@Roskos, yes most granular/limiting will taken precedence.
&... "the user" "THE USER!!!" I'm a Dean of JAMF Nation I'll have them know.
/joke!! :)
Posted on 11-11-2013 09:45 AM
I am unaware of anyway to do that specifically with the JDS... Are you using a NetbootSUS appliance or just OS X NetBoot? In either case, you may want to have a separate NetBoot/SUS from your imaging and distribution points. That is the simplest solution. Another potential option is to break the round-robin. If you have one internal, and one external, resolve with different DNS names, and then use your network segments to define which one they report to automatically. That I haven't tested with JDS, but it does work with regular distribution points.
Posted on 11-11-2013 12:49 PM
We are currently using Apple's NetBoot service.
How would you specify a network segment for external users into the DMZ? There isn't a set of IP address and the range would be huge.
Posted on 11-11-2013 01:24 PM
@Roskos, network segments work with the most limiting applying 1st.
So for DMZ, create a segment like 1.1.1.1 - 255.255.255.255.
So if a client is in 10.0.0.0 - 10.1.0.0 it will use the 10.x's network segments resources.
BUT, I think this is broken in 9.2.
Check with support 1st.
Posted on 11-12-2013 09:03 AM
Thanks for reaching out about this issue with Network Segments. Unfortunately, the user who said this is broken in 9.20 is correct, and we currently have a high priority defect open on this issue. While I see our development team is actively working on a fix for release, it does not appear to have been fixed in time for our 9.21 release this morning.
...I guess we wait.
Posted on 11-12-2013 09:04 AM
So when this is working...
Is there a way to prioritize the segments? Or does it just take the one that is most granular?
Posted on 11-12-2013 01:35 PM
@Roskos, yes most granular/limiting will taken precedence.
&... "the user" "THE USER!!!" I'm a Dean of JAMF Nation I'll have them know.
/joke!! :)
Posted on 12-17-2013 01:40 PM
Hey guys,
The defect relating to the most restrictive network segment not applying [D-005656] has been fixed in 9.22
Hope it helps!