- Jamf Nation Community
- Products
- Jamf Pro
- JSS on DMZ, failed installs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
JSS on DMZ, failed installs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-11-2014 06:13 AM
For those of you with the JSS on the DMZ, how are you handling the policies that fail if a machine is not on the network (and therefore not able to mount the internal servers).
We have about 200 subnets and about 50-60 buildings setup, but when a machine checks in from their home network, the JSS doesn't update with the unknown building, it leaves the last one it checked in with. This means I can't create a SG that says if "not in building, or building, or building, etc". And as we standup or shut down sites, I'm rarely notified (if ever, usually I stumble upon an IP range and then have to go ask someone if it's new or not) - so doing it by ip ranges doesn't seem feasible either.
Is my only other option to enable file shares on the DMZ? there's gotta be a better way.
Labels:
- Labels:
-
Tips & Tricks
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-11-2014 07:08 AM
Set up some externally facing distribution points (that's what we have in place), and make sure you have all your Network Segments set up properly. Create one all encompassing catch Network Segment called "internet" with a range from 1.1.1.1 to 254.254.254.254. Basically, any Macs that check in from an IP that doesn't fall into any of the other Network Segments means its on the outside. Fortunately Network Segments work from smallest to largest, so if a Mac has an IP that fits into one of the smaller ranges, it gets assigned to that NS.
Then. assign the externally facing distribution point(s) to that "Internet" Network Segment.
The only other thing will be making sure they all stay in sync, so packages/scripts, etc added to your Master DP gets synced to the others, including the external one.
EDIT: Ok, sorry I didn't see that actually keeping your Network Segments all up to date wasn't really viable for you. I see that now. Honestly, that's going to be a tough one to solve then. Any way you can ensure you get notified when new ones are set up? Ask to be included in emails that are sent around perhaps so you can stay on top of them? Without having valid Network segments, its going to be a bit difficult to get this to work. But maybe someone else has a better idea.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-11-2014 07:24 AM
I didn't realize that's how it worked, so that helps a lot. I will give that a shot. Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-11-2014 10:00 PM
@jwojda take a look at what Expeida's IT presented at JNUC2014
https://github.com/Expedia-IT-CTE/ Radar!
They utilize it for having the computer tell the JSS what server to talk to.
I put it in, to utilize the same usability but also the false positives when casper fails over to our external DP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-12-2014 06:40 AM
thank you, I'm giving it a shot now.
