JSS in AWS / Front facing JSS

davidjess
New Contributor III

Hi folks,

We currently have a JSS server in a data centre, with JDS and NetBoot servers living separately in each of our offices.

Our data centre is closing down and we're going to migrate the JSS to AWS, we're going to have a public facing JSS server that proxies across to a private JSS server with database attached.

Just wondered if anyone out there has this setup working and has any pointers, scripts (particularly for pointing all of our Macs to the new JSS when it's time, but I'll take anything else you might have) or anything else that I've not considered.

Thanks in advance.

5 REPLIES 5

powellbc
Contributor II

We don't but are on this road now. If I encounter anything of note I will let you know.

djdavetrouble
Contributor III

How about a split DNS for internal / external, have seen many recommendations for this setup.

jonnydford
Contributor II

Any reason why you wouldn't keep the same URL? Unless you're using .local domain name?

Changing URL will mean any iOS devices will need to be wiped and re-enrolled.

As to set up, I'd suggest putting an Application Load Balancer in front of the JSS. Then, only allow access to the JSS from the load balancer on your chosen port. That way the JSS has some protection as only your chosen ports are exposed.

By default on the security groups outbound traffic is open on all ports so it'll be able to hit the internet for APNS, SMTP etc.

You can also put nginx on your JSS server if you want to redirect port 80 to 8443/443.

The load balancer also can have the SSL certificate on it so it'll take the processing away from the JSS.

powellbc
Contributor II
Changing URL will mean any iOS devices will need to be wiped and re-enrolled.

@jonnydford Can you elaborate on this? Is a full wipe necessary or just re-enrolling?

jonnydford
Contributor II

@powellbc Depends on how you want to enroll them.

If you're going through DEP/AC2 and supervising your iOS devices it'll need a wipe.

For a manual non-supervised enroll it won't need a wipe.

Changing the URL is generally a bad idea with iOS devices. Macs, not so bad as you can change a plist, reenrol, push out a recon pkg, etc.