SUS Server for undefined Network Segment?

fsjjeff
Contributor II

Hey all,

I'm configuring Casper to update SUS servers to a local server based on Network Segment. However, our internal SUS servers don't have external DNS, so if a user tries to update their computer away from a school network it gives an error message.

I do have one SUS server with an externally accessible DNS entry. Can I define a 'catch-all' network segment so that anything outside of our network would go to that?

Ideas?

Jeff Dyck | Analyste de reseaux - Mac OS X
Conseil Scolaire Francophone de la Colombie-Britannique (SD 93)
3550 Wellington Street, Annexe B - Port Coquitlam, BC - V3B 3Y5
Tel: 778-284-0902 - Cell: 778-990-7960 - http://support.csf.bc.ca

9 REPLIES 9

milesleacy
Valued Contributor

Hey Jeff,

The more specific a Network Segment is, the higher it’s order of precedence. e.g....

Segment A (10.0.0.1 to 10.0.0.10) takes precedence over
Segment B (10.0.0.1 to 10.0.0.100), which in turn takes precedence over
Segment C (10.0.0.1 to 10.0.0.254)

So, if you create a segment called “External Networks” or some such, and set the range to 1.0.0.1 through 255.255.255.254, any segment that is more specific will override that segment.

One item to watch out for... Private addressing schemes reuse a common set of IP addresses. If I’m on a hotel network and receiving a 192.168.x.x address, and I also use the 192.168.x.x range at the office, my computer would be reporting an address that is recognized as part of an internal segment even though that address is part of an external network.

I hope this is helpful.

--
Miles Leacy
Technical Training Manager
Mobile +1 347 277 7321

miles at jamfsoftware.com
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com

fsjjeff
Contributor II

That's very helpful Miles. We do have some private subnets, but they're mostly used for imaging purposes (and use a 10.schoolcode.x.x system, so hopefully won't conflict with too many hotel subnets) so think we should be mostly ok.

Will have to play around with that today.

Jeff

fsjjeff
Contributor II

Hmmm... trying to implement this idea but looks like it's a no go - Casper won't let me define a Network segment that big. Looks like the most I can define is something like 1.0.0.1 - 1.255.255.254... When I try to put in 1.0.0.1 - 255.255.255.254, or even 1.0.0.1 - 2.255.255.254, it tells me "The Network Segment entered is not valid"

I'm on 7.21 still, so perhaps 7.3 allows this?

Jeff

tlarkin
Honored Contributor

You could try to do some creative scripting with wild cards, so if it
doesn't hit a certain network segment it can do the updates from Apple,
or it can trigger an offline policy or it can exit

ernstcs
Contributor III

Because of the Class C stuff here Miles mentions would it possible to have the script try and resolve your SUS by DNS and if it fails do nothing or revert to Apple? This assumes your SUS does not have an external facing DNS.

Now I don’t know how to do that, but it was the idea...

Craig E

fsjjeff
Contributor II

To be honest, I'm trying to not do this stuff via script at this point - I basically just want to set the SUS servers so that when a user goes to Software Update it goes to the correct place...

At this point in time I'm simply using a Policy that forces the local SUS setting, and it works so beautifully (except for this gotcha), that I'm reluctant to tackle recreating that functionality...

Was really hoping Miles' suggestion would work, as that sounded very elegant.

I think for now I'm going to lean toward just telling users they have to upgrade on our network. For the future I'm contemplating adding our servers to the public DNS and loosening up the firewire to allow SUS to do it's thing.

Jeff

milesleacy
Valued Contributor

Another angle might be to use managed preferences. You can have a “default” profile that tells your clients to use the publicly available SUS. Then you can have individual profiles for your internal locations where you limit the scope by network segment. As long as the network segment-based profiles have names that come alphabetically after the default profile, the segment-based items will override the default when applicable.

Does that make sense?

--
Miles Leacy
Technical Training Manager
Mobile +1 347 277 7321

miles at jamfsoftware.com
....................................................................
JAMF Software
1011 Washington Ave. S
Suite 350
Minneapolis, MN 55415
....................................................................
Office: (612) 605-6625
Facsimile: (612) 332-9054
....................................................................
US Support: (612) 216-1296
UK Support +44.(0)20.3002.3907
AU Support +61.(0)2.8014.7469
....................................................................
http://www.jamfsoftware.com

fsjjeff
Contributor II

Sorry to resurrect an old conversation, but I'm still trying to struggle with this for several different reasons.

First, I'm on 7.3.1 right now.

Basically, we have about 20 different locations, each with a defined Network Segment, which I use to define the SUS server and the Casper repository. This works great.

Unfortunately, of 4500-ish Macs, about 4100 of them are laptops, so leave the network. Currently none of our policies or SUS servers work off our networks because most of our servers don't have external DNS.

I do have one SUS server and one Casper repository server that do have external DNS, and I'd like to make it so that any IP that doesn't fit into one of our defined Network Segments would default to those externally accessible servers.

This becomes more important as we just had 2 dozen computers stolen from one site, and I'm unable to configure them to be able to pull scripts or any policies that involve actually communicating with one of the repo servers.

tlarkin
Honored Contributor

Sounds like a feature request to me. If a client can not check in
internally, it should hit the external servers. Sort of like when you
try to authenticate to an OD replica and if the client cannot reach that
replica it will then hit the next replica and try there.

Otherwise you'd have to be doing some fancy scripting, but if you could
set all your network segments in the JSS and if the client cannot check
in internally it should then try to check in to the public IP/DNS of the
servers listed.

A simple test would be, set the client (or a script, or something that
runs all the time) to see if it can connect to one of your internal
servers. If it cannot reach it, via even a ping, then you know you are
not in your network. That is how our Internet filter server works. If
the client cannot reach the internal IP address of the server, the
client then sets itself to grab the filter sync from the external IP.