Jamf Nation Community

anickless · ‎11-22-2017

So I have been asked to setup access to the JSS in such a way to allow our managed machines to be remotely wiped even if they leave our network.

I have setup a second JSS in a DMZ on my router and clustering is turned on and seems to be working. However, I am having a very hard time getting outside access to the JSS in the DMZ. I am not running a load balancer but what I am trying to do is have the JSS instance on the LAN kept as a master and when people use the external JSS address they connect to the JSS in the DMZ.

However I have encountered a lot of issues. The first and biggest is that I cannot get the DMZ JSS to respond on the external side. When I am on the computer in the DMZ I can browse the internet and everything but when I use an outside machine I get a timeout error like it is not there.

Does anyone have any suggestions?

anickless · ‎11-22-2017

Additional info, seems like my second node registered with the routers DNS name for some reason. Don't know how to fix it.

al_platt · ‎11-23-2017

Are you just trying to get to the JSS url in a browser or run a jamf recon via terminal?

You should have the webapp turned off in your master jss and set for check in only.

What's the second JSS running on, Linux, Windows, Mac?

And i'm assuming you have external DNS and NAT setup?

kerouak · ‎11-23-2017

@al_platt

"You should have the webapp turned off in your master jss and set for check in only".. WHAT?
NO!

kerouak · ‎11-23-2017

external webapp...PORT?

anickless · ‎11-23-2017

Yes I have ports open I believe correctly as indicated by the JAMF documentation.

sdagley · ‎11-23-2017

@anickless You need to find out who in your organization is responsible for managing your DNS server. They need to set up what's known as Split DNS so that your public facing JSS has an external DNS name that matches the DNS name of your internal JSS server.

al_platt · ‎11-24-2017

@kerouak Argh, i should have re-worded that one!

The secondary JSS should have its webapp disabled, checkins only. NOT the master!

Too little sleeps and not enough coffee that day.

anickless · ‎11-24-2017

@sdagley Lol well that would be me, Shop of one of two people so I will look into split DNS and see how that works

I made a simple web server with one entry and setup the DMZ as directed by my router manufacturer's recommendations and it work just fine.

@al_platt Yes once I can access the webinterface to verify outside access the webapp is going to be set to limited access.

sdagley · ‎11-24-2017

@anickless When you enroll a device with your JSS it is set to check in with a specific URL (e.g. https://MyJSS.MyCompany.com:8443). If you want it to be able to check in when it's not on the internal network, you need to make sure that your public facing JSS appears to the outside world at the same address. Do you maintain the DNS records for your organization, or does your ISP handle that for you? If the latter, I'd suggest you contact your ISP's tech support department about getting a public DNS record to match your internal JSS that maps to your regular public IP address. Then set up port forwarding on your router to direct external access on port 8443 to internal port 8443 on your public facing JSS rather that putting it in the DMZ.

marklamont · ‎11-26-2017

to allow our managed machines to be remotely wiped even if they leave our network.

remotely wiping devices does not need a JSS in the DMZ, it is APNS function so your internal jss needs access to the applicable APNS ports and subnets in Apple.
[https://www.jamf.com/jamf-nation/articles/34/network-ports-used-by-jamf-pro](link URL)

Jamf Nation Community

JSS Cluster with one in the DMZ