JSS in DMZ

jmercier
Contributor II

Hi... just a quick question...

We have internal JSS works fine...

We want to have external JSS so devices can check in etc... but we are allowed to only have one JSS name configure on devices to report to... lets say JSS1.company.com

So i assume we can't have the external to have the same name... so it has to be something like JSS2.company.com ?

But how .... devices won't report to the external one... ?

Would it be better to move our internal in the DMZ only ? enrol potential external devices to the second one only ?

5 REPLIES 5

RobertHammen
Valued Contributor II

Use split DNS.

When outside your network, jss1.company.com resolves to the public-facing IP of your JSS in the DMZ.
When on your network, jss1.company.com resolves to the private, internal IP of your existing JSS.

That's one option. I'd also make the JSS in a DMZ a Limited Access JSS, meaning it has no web portal where admins can log in, just client management.

Opening a port to MySQL on your internal JSS, and replicating content (packages etc) are the tricky points.

Aziz
Valued Contributor

Same setup as @RobertHammen

Internal DNS for main JSS = jss.domain.com (A record)

Internal machines resolve to the above DNS.

Internal DNS for DMZ JSS = jssext.ad.domain.com

Public DNS resolves to the DMZ server as "jss.domain.com" Public IP of 1.2.3.4

Public machines resolve to the above DNS.

Limited access enabled.

bvrooman
Valued Contributor

We add a layer of abstraction and use CNAMEs in both places. Our internal and DMZ servers are named some nonsensical thing based on an old server naming scheme, but we added an internal and external CNAME record for casper.companydomain.com pointing to each respective server.

This also gives us the flexibility that if we want to change servers in the future (or point to a load balancer, etc.), we just need to change the target of that CNAME record.

raybanks
New Contributor II

+1 to @RobertHammen

We use split DNS so external JSS goes to public facing clients outside of the campus network. Internal JSS goes to campus clients if they are within the campus network or using the campus VPN.

I use pfirewall to restrict all on the external facing, disable web portal and allow only 8443 and SQL to the internal JSS. I also have an externally facing JDS for off-campus clients and it only allows communication FROM our root JDS.

tlarkin
Honored Contributor

I would recommend putting an appliance in the DMZ and not a web app. Could be a load balancer, WAF, reverse proxy, etc. From there you can terminate TLS if you wish or just forward it through to the application inside the firewall.

Putting a JSS in the DMZ is a security risk, and frankly shouldn't be done.