Help

New JSS instance in DMZ, URL changes

dooley_do
New Contributor

Posted on ‎01-06-2016 06:07 AM

Hi,

I've read a few articles on this but just after some quick clarification. Currently we have an internal only JSS e.g. jss01.network.edu

I am adding a DMZ instance so we can manage external clients : jss02.network.edu

I figured at this point I should use a cname e.g. jss.network.edu which resolves to either of the above dependent on what network you are on.

I've seen a few threads on this and it looks like I'll have to re-enroll clients if I start using the cname. Can this be automated or is there a better solution?

Thanks

0 Kudos
Reply
4 REPLIES 4

rigualj
New Contributor II
New Contributor II

Posted on ‎01-06-2016 06:33 AM

Hey dooley_do!

Are we managing just Macs? If so, the next time they check in, they'll get the updated URL. So when they check in after that, they'll be referencing the new URL

If we are managing iOS, then yes, they'll need to be re-enrolled.

However.. If we are using MDM communication, a CNAME will not work I believe. As the SSL certificate needs to reflect a single FQDN and if a redirect is detected that the trust will not be established.

Could we look at a Split Horizon DNS Setup? We would use the same FQDN. The internal DNS will resolve to the internal server. The public DNS will resolve to the DMZ (public facing server)

0 Kudos
Reply

brushj
New Contributor III

Posted on ‎01-06-2016 11:13 AM

@rigualj The method you stated is what we use for our DMZ setup. We set it up that way from day one and have been using it that way over the past three years.

0 Kudos
Reply

dooley_do
New Contributor

Posted on ‎01-07-2016 01:39 AM

Hi,

We have Macs and iOS but at present iOS isn't really in production so not too much of an issue.

Yes split DNS could work, I assume the certificate on the DMZ server would need to have a subject alternate name so it covers both jss01 and jss02?

Thanks

0 Kudos
Reply

dwandro92
Contributor III

Posted on ‎01-07-2016 06:54 AM

Are we managing just Macs? If so, the next time they check in, they'll get the updated URL. So when they check in after that, they'll be referencing the new URL

Thank you, @rigualj for that interesting tidbit of information. All this time I thought that I would have to re-enroll all of our Macs if we setup a CNAME, but now I'm going to do some testing and move forward with it!

0 Kudos
Reply