I'm looking to migrate our JSS that is running on an Xserve to a RHEL VM later this year. I'd also like to set up a limited JSS on our DMZ, but I'm running into an issue with our open systems team. According to JAMF's documentation the limited JSS would need access to the internal server that hosts the existing JSS. I was told this was something that we could not physically do here. This is what was proposed to me and I'm wondering if it's doable or if I should just move on from the whole limited JSS on the DMZ.
Does your App DMZ security policies allow for communication to other items that MySQL would be using like ldap, APN, etc.? As long as the communication is there I can not imagine it being a problem. The limited JSS is a good idea to prevent access to the console from a internet facing server, but still allow clients to send inventory reports and interact with the JSS. As long as the server with MySQL can communicate with elements in the JSS and have communication with the web app instances, you should be okay.
You are correct.
The logic here is;
1. Have the JSS database in your trusted network.
2. Create a new external server in DMZ with limited JSS WebApp and point it to the database located in your trusted network (you need to be able to communicate to your MySQL database via TCP port 3306 from DMZ)
3. Also need to have some additional ports to be able to communicate with your trusted network from your external server hosting limited access WebApp located in DMZ.
If you are using smart groups to send email notifications, the SMTP port from the external server to the SMTP server needs to be open. (The standard port for this is 25.) If users are going to enroll devices externally using LDAP accounts, the LDAPS (LDAP over SSL) port from the external server to the directory server needs to be open. (The standard port for this is 636.) For information on configuring LDAPS, see “Configuring the JSS to Use LDAP Over SSL When Authenticating with Active Directory”.