Skip to main content
Question

New JSS instance in DMZ, URL changes

  • January 6, 2016
  • 4 replies
  • 28 views
D
Forum|alt.badge.img+4

Hi,

I've read a few articles on this but just after some quick clarification. Currently we have an internal only JSS e.g. jss01.network.edu

I am adding a DMZ instance so we can manage external clients : jss02.network.edu

I figured at this point I should use a cname e.g. jss.network.edu which resolves to either of the above dependent on what network you are on.

I've seen a few threads on this and it looks like I'll have to re-enroll clients if I start using the cname. Can this be automated or is there a better solution?

Thanks

    4 replies

    R
    Forum|alt.badge.img+4
    • rigualj
    • Employee
    • January 6, 2016

    Hey dooley_do!

    Are we managing just Macs? If so, the next time they check in, they'll get the updated URL. So when they check in after that, they'll be referencing the new URL

    If we are managing iOS, then yes, they'll need to be re-enrolled.

    However.. If we are using MDM communication, a CNAME will not work I believe. As the SSL certificate needs to reflect a single FQDN and if a redirect is detected that the trust will not be established.

    Could we look at a Split Horizon DNS Setup? We would use the same FQDN. The internal DNS will resolve to the internal server. The public DNS will resolve to the DMZ (public facing server)

    B
    Forum|alt.badge.img+8
    • brushj
    • Contributor
    • January 6, 2016

    @rigualj The method you stated is what we use for our DMZ setup. We set it up that way from day one and have been using it that way over the past three years.

    D
    Forum|alt.badge.img+4
    • dooley_do
    • Author
    • Contributor
    • January 7, 2016

    Hi,

    We have Macs and iOS but at present iOS isn't really in production so not too much of an issue.

    Yes split DNS could work, I assume the certificate on the DMZ server would need to have a subject alternate name so it covers both jss01 and jss02?

    Thanks

    D
    Forum|alt.badge.img+9
    • dwandro92
    • Contributor
    • January 7, 2016
    Are we managing just Macs? If so, the next time they check in, they'll get the updated URL. So when they check in after that, they'll be referencing the new URL

    Thank you, @rigualj for that interesting tidbit of information. All this time I thought that I would have to re-enroll all of our Macs if we setup a CNAME, but now I'm going to do some testing and move forward with it!

    Terms & ConditionsCookie settingsAccessibility statement