JSS, SUS and DMZ

jacopo_pulici
Contributor

Hello everybody,
Newbie in here and I really need help from this great community.
We're in the process to evaluate the possibility to publish our JSS in the DMZ.
My environment is set up as follow:

  • JSS 9.7 on a Win2012R2 vm hosted on hyper-v (internal.mycompany.com)
  • 3 distribution points across the offices (geographically far one from each other).
  • 1 SUS (internalsus.mycompany.com)

Everything now is working great but we would like to move our JSS to the DMZ in order to be reachable (policies and packages) by our Mac laptop clients from everywhere (external to our LAN).
What would be the best way to achieve our task and access/managing everything with external.mycompany.com?
We’re following this guide and as far as I understood we should place in the DMZ a second and “limited” JSS server + another DP. The database would continue to rely on our internal JSS server, accessed only by the JSS in the DMZ. Apart issuing a new SSL certificate, correctly register our DNS and set up the HTTPS DP, what should we take care of?
We found the complete list of ports used by Casper. Is there anything else we should be aware of related to the security topic?
The JSS server in the DMZ will be behind a load balancer: any advice?
And lastly, how can I manage to reach my SUS? Do we have to move it to DMZ as well?
Forgive me whether I'm not clear enough...actually I'm very confused!
Thanks in advance for your suggestions.
Cheers,
Jack

2 ACCEPTED SOLUTIONS

jacopo_pulici
Contributor

Hi @Snickasaurus .
The setup I adopted is the following:
- Windows Server 2012 R2 VM as internal JSS server (internal.mycompany.jss)
- Windows Server 2012 R2 VM as external JSS server (external.mycompany.jss, placed in DMZ, out of domain).
- NetSUS VM as Software Update Server (sus.mycompany.jss, placed in DMZ)

After I setup the external JSS (HERE) I had to:
- repair the MySQL connection between the external and internal server.
- change the JSS URL (you find this option in the System Options>Global Management) and re-issue the SSL certificate (System Settings>Apache Tomcat Settings).
- create a DP on the DMZ JSS server, enabling the HTTPS protocol (HERE).

Lastly, and more important, I had to setup the internal and external DNS based on the definitive JSS url adopted. The JSS server can have just one URL (the external one) and therefore the internal DNS routes the clients to the internal.mycompany.jss server and the external one to the external.company.jss .
Let me know if you need further details.
Cheers

View solution in original post

jacopo_pulici
Contributor

Problem solved issuing a new SSL certificate on the DMZ box.

Jack

View solution in original post

12 REPLIES 12

MAD0oM
Contributor

@Jachk We all started there "newbie" so don't feel any type of way. The way i've set up our environment is to have a second instance of the JSS in the DMZ in my case i have a Mac mini and only 1 port opened both in and out which is the mySQL ports. You'd also need to make sure your FQDN is able to check in both internally and externally with DNS records. Why would you want a DP externally? unless the clients won't be coming back internally then i'd understand maybe setting up a AWS for ease. you want your clients externally to use your internal SUS? why not have a policy when external install using Apple SUS? or not updating period unless back internally?

Some more info maybe and i can answer some more

jacopo_pulici
Contributor

Thanks @MAD0oM for your reply and advices.
We'd want an external facing DP in order to be able to patch/control the machines outside our network.
Our staff, more of the times, work outside the company for long periods and therefore I'd like to be able to reach them everywhere.
The same for the SUS. We want to control which updates apply to them and therefore I cannot let them use the Apple SUS when outside.
At the moment all the machines have our internal SUS set up by a config profile.
Thanks
Jack

spotter
New Contributor III

Our JSS configuration is as follows:
- Internal JSS (Mac Pro) - external facing DMZ JSS (virtual Windows Server)
- JDS and SUS (Mac Mini)

This config works really well since I'm able to have my Mac users download packages from Self Service and updates no matter what network they are on.

jacopo_pulici
Contributor

Thanks @Potter How can your Macs access your internal SUS? Is it in the DMZ?
Does the JDS (passing through the JSS in the DMZ) manage the requests between your clients and the SUS?
Sorry but I'm really missing something here.

MAD0oM
Contributor

@Jachk In that case i'd scope out a policy based when the user is off the network use AWS or whatever you decide as your DP externally. Then for your SUS i'd do the same thing having one externally in the DMZ basically for security..I wouldn't have access internally to my server i'd also have a layer between it firewall or not just safe that way for me at least. You can also go the VERY DIFFICULT route (could be easy if your network team is on board) but basically with DNS records things can be the same FDQN both externally and internally but making it easier for you so clients can access it both internally and externally with no change.. only thing is setting up your new servers in the DMZ and some firewall and DNS work.. let me know

jacopo_pulici
Contributor

Thanks @MAD0oM !
In the next days I'll deal the problem with the server and network guys.
I also contacted the JAMF support and they provided me a very useful paper with examples of configurations.
Now I have a clearer overview of the whole process, I keep you updated.
Thanks all.

davidacland
Honored Contributor II

As long as you're ok with the core technologies (MySQL, DNS etc), most of the config is straight forward. There is an extra remote IP valve option to enable if you are using a load balancer to make sure the clients report the correct IP address.

The other tricky bit is SSL termination.

I would recommend the CJA course if you have the time / budget. It covers this type of setup in depth.

jacopo_pulici
Contributor

Thanks @davidacland .
I have an update related to this topic.
I successfully setup the JSS in the DMZ and connected it to the internal JSS' MySQL server.
At the moment the JSS url is the old one (internal.jss.company.com) and all my clients can still reach it correctly.
Also the new imaged machine can reach it.
The Tomcat SSL certificate it's also the old internal one.
However now I have to pull the switch and move to the new url (external.jss.company.com) in order to prepare the JSS to be reachable from outside our LAN. In the coming days the network team will open the ports to the outside, set up the DNS and everything but I want to be prepared.
Noob question: which are the steps I have to follow?
I would say I have to change the JSS url and reissue the Tomcat SSL certificate and then force the existing clients to run the jamf manage command. Is it correct?
Thanks in advance to all, I understand I still have a very little knowledge of the JSS structure...
Jack

Snickasaurus
Contributor

@Jachk

How did this end up working for you? My company is also considering the DMZ approach so I'm reading every thread I can find. Thanks in advance.

jacopo_pulici
Contributor

Hi @Snickasaurus .
The setup I adopted is the following:
- Windows Server 2012 R2 VM as internal JSS server (internal.mycompany.jss)
- Windows Server 2012 R2 VM as external JSS server (external.mycompany.jss, placed in DMZ, out of domain).
- NetSUS VM as Software Update Server (sus.mycompany.jss, placed in DMZ)

After I setup the external JSS (HERE) I had to:
- repair the MySQL connection between the external and internal server.
- change the JSS URL (you find this option in the System Options>Global Management) and re-issue the SSL certificate (System Settings>Apache Tomcat Settings).
- create a DP on the DMZ JSS server, enabling the HTTPS protocol (HERE).

Lastly, and more important, I had to setup the internal and external DNS based on the definitive JSS url adopted. The JSS server can have just one URL (the external one) and therefore the internal DNS routes the clients to the internal.mycompany.jss server and the external one to the external.company.jss .
Let me know if you need further details.
Cheers

jacopo_pulici
Contributor

Hi everybody,
Just a question on the topic.
I noticed my Mac don't get the configuration profiles when they are outside of our LAN.
Everything else works fine, I can run and scope policies and reach the Mac also when they are off my company network. The only thing that fails are configuration profiles. They get stucked in "pending" and as soon as the Mac return on our LAN or open the VPN, they get the profiles.
I checked the ports on the master internal jss (2195/2196/5223) and they're fine.
Any idea where I could check?
Thanks

Jack

jacopo_pulici
Contributor

Problem solved issuing a new SSL certificate on the DMZ box.

Jack