On-Prem JSS - Multiple Tomcats on Single server?

Shaunn_brown
New Contributor II

Greetings - I've been tasked with researching setting up an externally accessible Tomcat server for each of our JSS servers. This is so our current JSS servers don't need to be externally accessible from our networks. 

As there already exists standard documentation for setting this up on separate servers, no need to re-direct me towards those documents. BUT, my superiors would like to setup multiple instances of Tomcat on a single server. 2 options I have been tasked to research -
1 - Setup an additional Tomcat on each of our JSS servers  - the new Tomcat would be "clustered" to the existing JSS Tomcat, with the new Tomcat being externally visible.

2 - Setup a single VM, with multiple Tomcats, with each being "clustered" to a different JSS server. The new VM's Tomcats would become the externally visible point for each of the JSS's.

Is either a viable option - I've noted to them it's unwise, but I have been tasked with finding out for sure.

Thank you in advance for any assistance.

4 REPLIES 4

sdagley
Esteemed Contributor II

@Shaunn_brown Thinking about making multiple instances of the JSS Tomcat process run in either of the 2 configurations you describe makes my head hurt. Why in bog's name would there be resistance to creating a VM per each additional instance? To me that would make it much easier to control the traffic routing so only the JSS instances on the new VMs are externally accessible.

Shaunn_brown
New Contributor II

It makes my head hurt also, @sdagley  But mine is not to reason why, mine is just to do... or have a dang good reason why I have to tell upper management they have to spend more money than they thought.

sdagley
Esteemed Contributor II

@Shaunn_brown The #1 argument I'd make against trying to run multiple instances on a single server is that it would eliminate the option of using the standard Jamf installer for updates and requires you to manually configure the ports and paths for each instance. You might be able to write your own scripts to automate that, but expect it to be fragile.

It sounds like your upper management didn't really consider the requirements for setting up a Jamf Pro environment to manage devices on and off the organization network. Hopefully you can convince them to address that using one of the standard approaches (i.e. additional servers). Having gone through that twice myself I'm quite happy that my current org was willing to recognize that re-building the system with externally accessible JSS and DP nodes so off network devices could be properly managed was more important than clinging to the original design purely focused on internally connected devices.

Added 2022-07-21 @ 10:35am ET:

@Shaunn_brown Please don't feel like @AJPinto or I are disregarding your predicament, but realistically the best long term prospects for having a sustainable Jamf Pro installation requires your upper management to understand that if the initial architecture of the installation did not take into consideration managing machines off the corporate network then it needs to be re-architected with that requirement in mind. I'd also 2nd @AJPinto 's Jamf Cloud endorsement, but if your management is convinced that on-prem is a lower cost solution I'd suggest you carefully track the amount of time you spend maintaining/upgrading the on-prem infrastructure so you can point out the true costs.

AJPinto
Honored Contributor II

Like everyone else here, this thought makes my head hurt. What in the world could be the benefit or purpose of this? This is a decision so stupid that it can only have come from upper management. 

 

Is it possible, yes, kinda, maybe, probably not. Will JAMF support it? No. Will it work well? No. Is it scaleable? No. Is it recoverable in the event of failure? No. Before you get too deep down this path remember you must support it, not the people making this call. Put the 2 JAMF instances on separate servers for the love of god, even if they are just separate Windows Server VM's running on the same host. Honestly with this kind of decision making your employer sounds like a perfect candidate for JAMF Cloud, get these people to a position where they cannot make these kinds of requests.