Setting up Jamf 10 in AWS

wburnett
New Contributor II

As part of a general effort to become more knowledgable about AWS and JAMF, I've started a dummy environment totally separate from production for my own practice purposes, with the hopes of convincing my department head to implement them once I become more proficient/comfortable with the tech. I've played around a fair amount with policies/configuration profiles/etc, but when it comes to setting up a new server, especially in the cloud, I'm rather more of a newbie.

As part of my research I found an excellent blog post by John Kitzmiller (https://www.johnkitzmiller.com/blog/setting-up-the-jss-behind-an-elastic-load-balancer-in-amazon-web-services/) as well as one by auslin more focused on Elastic beanstalk rather than ec2 on its own (http://aulin.co/2017/Jamf/) but I've found myself getting stuck earlier on in the process.

I've tried installing the jamf pro 10.5 client both manually and using the installer. Since I only have to access the machine via terminal (the AMI is running ubuntu 16.04), I installed lynx to attempt to get up and running after the installer was completed. However, when going to localhost:8443 with lynx I get an error saying there is an insecure ssl cert (I generated a self signed one), and when i attempt to bypass lynx quits out with the error "can't access startfile localhost:8443", so I can't get into the web app to get through the rest of set up.

Has anyone run into something similar?

7 REPLIES 7

jrosedietcher
New Contributor III

bumping this post as it would be great to learn how to do this without using a DMZ

stevewood
Honored Contributor II
Honored Contributor II

@wburnett you shouldn't need to install Lynx on the Jamf Pro Server to configure it. If you assign an Elastic IP to your server and then open port 8443 to your server, you can use a web browser from your computer to configure the Jamf Pro Server.

If you want to place the JPS in a private VLAN in AWS, I would suggest placing a proxy or utilizing an Elastic Load Balancer to forward traffic to the JPS sitting in the private VLAN. You can follow @kitzy great blog post on how to do that. The great thing about using an ELB is that you can set it to receive traffic on 443 and then forward to your JPS over 8080. This is terminating SSL on the ELB and not on your JPS. You can utilize Amazon's certificate service to host your SSL cert and tie it to the ELB.

Hopefully that helps clear it up a little. If it doesn't, I can get a little more granular.

wburnett
New Contributor II

Hi Steve, thanks for the reply.

I got a little stuck on ELB's which is why I was trying a separate method, but that makes more sense. I gave it another go and was able to get through most of the blog post from John Kitzmiller this time, but not all the way. I have the SG's configured per the article (443 on all addresses into the ELB, and 8080 only from the ELB to the two jamf servers) and health checks set up to poke at /healthCheck.html. However, the servers in both 1b and 1c are coming up unhealthy - unfortunately without much more info with which to debug or troubleshoot (unhealthy - request timed out).

Are there some common solutions for this? I did some googling and came up with the following, but I'm not too familiar with the container terminology

https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-unhealthy-checks-ecs/
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/create-application-load-balancer.html#alb-configure-routing

stevewood
Honored Contributor II
Honored Contributor II

@wburnett I ran into that myself when first setting up our environment. If I remember correctly, I was getting those errors because I had not completed the setup of the Jamf Pro server before adding the server to the load balancer. I would add an public IP address to the master server and allow traffic through to that server temporarily. Once you've done that, allow 8443 through to the server on that public IP. I would take it a step further and lock the traffic down to your machine's public IP.

Once you've done that, navigate to the JPS, run through the initial configuration, and once you are in the JPS you should be able to tear down that public IP. Of course test the ELB before tearing it down.

wburnett
New Contributor II

Ah @stevewood that makes a lot of sense! I think that's how I got stuck in the OP of this thread - I was unable to finish configuring the main jamf pro server since I couldn't get to the GUI, which was why I resorted to trying lynx. Should that come up if I go to <public ip>:8443?

I just did some checking and it looks like I'm running into some problems with tomcat8 not starting properly, so I'll have to investigate and figure out what's going on, that has to be the culprit. I'm going to try a fresh AMI tomorrow and see if I can get tomcat up and running properly. I appreciate you taking the time to respond!

wburnett
New Contributor II

Hey @stevewood , I've been playing with this for the last week or so, but I'm still not able to get into the jamf web portal - I'm getting the following error: "Bad Request This combination of host and port requires TLS." even though I've set up a self signed cert on the linux ami, using the tomcat documentation here: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

I've tried building a vpn server in my amazon VPC with a security group allowing traffic between the two, but that doesn't seem to have helped.

omar_ghafoori
New Contributor II

Hi Devin,

Would any of these times work to meet with our team to discuss Jamf Cloud for Government in detail? All times are EST

Mon Sept 7th
9AM 10AM
2PM

Wed Sept. 9th:
9AM
10AM
1PM