Posted on 03-05-2021 10:02 AM
Hi everyone, Like many of us, I am have been tasked with building out our Jamf pro environment, and am looking for a little help regarding split tunnel VPN.
Using Jamf Pro 10.26.1 on Server 2012R2, we currently have Pulse Secure v. 9.1.8 installed on our macOS Catalina 10.15.7 devices that is configured to allow split tunnel for connectivity back to our jamf server by specifying the IP address of our jamf server within the VPN gateway.
What is happening is- The Mac is seeing the split tunnel configuration when doing a netstat -n. I can validate the IP of the jamf server is present within the split tunnel configuration. Despite this, we still do not have any connectivity back to our jamf server while connected and trying to open self service. When wiresharking the device, any connectivity going to jamf goes dark once logged in to VPN. Doing a traceroute to the jamf server ip confirms we're getting the split tunnel....
Looking at the Jamf admin network port section, it states that we should only need port 8443 open for connectivity back to jamf to my understanding. Looking at the wireshark logs look to have confirmed this.
With that said can anyone confirm the following,
-Is only port 8443 required for jamf connectivity?
-Does the self service portal try to resolve by IP or FQDN?
-Would a routing table on the local device need to be setup or other configuration to the local adapter?
Thank you all in advance!
.
Posted on 03-05-2021 08:26 PM
So the only thing you are allowing through to your internal network is Jamf via a Split Tunnel? That doesn't make any sense. Are there no other internal resources that your users access via VPN? Does your JPS dns name resolve from the outside world?
You might be better served by a 2nd public facing, limited access, JPS in your DMZ. Where are your distribution points?