JSS Cluster with one in the DMZ

anickless
Contributor II

So I have been asked to setup access to the JSS in such a way to allow our managed machines to be remotely wiped even if they leave our network.

I have setup a second JSS in a DMZ on my router and clustering is turned on and seems to be working. However, I am having a very hard time getting outside access to the JSS in the DMZ. I am not running a load balancer but what I am trying to do is have the JSS instance on the LAN kept as a master and when people use the external JSS address they connect to the JSS in the DMZ.

However I have encountered a lot of issues. The first and biggest is that I cannot get the DMZ JSS to respond on the external side. When I am on the computer in the DMZ I can browse the internet and everything but when I use an outside machine I get a timeout error like it is not there.

Does anyone have any suggestions?

10 REPLIES 10

anickless
Contributor II

Additional info, seems like my second node registered with the routers DNS name for some reason. Don't know how to fix it.

al_platt
Contributor II

Are you just trying to get to the JSS url in a browser or run a jamf recon via terminal?

You should have the webapp turned off in your master jss and set for check in only.

What's the second JSS running on, Linux, Windows, Mac?

And i'm assuming you have external DNS and NAT setup?

kerouak
Valued Contributor

@al_platt

"You should have the webapp turned off in your master jss and set for check in only".. WHAT?
NO!

kerouak
Valued Contributor

external webapp...PORT?

anickless
Contributor II

Yes I have ports open I believe correctly as indicated by the JAMF documentation.

sdagley
Esteemed Contributor II

@anickless You need to find out who in your organization is responsible for managing your DNS server. They need to set up what's known as Split DNS so that your public facing JSS has an external DNS name that matches the DNS name of your internal JSS server.

al_platt
Contributor II

@kerouak Argh, i should have re-worded that one!

The secondary JSS should have its webapp disabled, checkins only. NOT the master!

Too little sleeps and not enough coffee that day.

anickless
Contributor II

@sdagley Lol well that would be me, Shop of one of two people so I will look into split DNS and see how that works

I made a simple web server with one entry and setup the DMZ as directed by my router manufacturer's recommendations and it work just fine.

@al_platt Yes once I can access the webinterface to verify outside access the webapp is going to be set to limited access.

sdagley
Esteemed Contributor II

@anickless When you enroll a device with your JSS it is set to check in with a specific URL (e.g. https://MyJSS.MyCompany.com:8443). If you want it to be able to check in when it's not on the internal network, you need to make sure that your public facing JSS appears to the outside world at the same address. Do you maintain the DNS records for your organization, or does your ISP handle that for you? If the latter, I'd suggest you contact your ISP's tech support department about getting a public DNS record to match your internal JSS that maps to your regular public IP address. Then set up port forwarding on your router to direct external access on port 8443 to internal port 8443 on your public facing JSS rather that putting it in the DMZ.

marklamont
Contributor III
to allow our managed machines to be remotely wiped even if they leave our network.

remotely wiping devices does not need a JSS in the DMZ, it is APNS function so your internal jss needs access to the applicable APNS ports and subnets in Apple.
[https://www.jamf.com/jamf-nation/articles/34/network-ports-used-by-jamf-pro](link URL)