We run a clustered on premise environment. One JSS internal, one JSS in the DMZ behind a reverse proxy. I've never loved that even though you turn off the UI on the DMZ instance that www.myjss.com/api is still exposed as a UI. We do restrict what users have access to the API but I still don't like it being exposed so I tried blocking it in the reverse proxy.
After doing this, I noticed that it broke the sync with VPP. I removed the /api block in the reverse proxy and the purchased apps immediately came down. I went and checked the reverse proxy logs thinking that I'd have an error logged every time the sync monitor ran. I found no such errors. The only thing i found in the logs related to /api was an errors with remote users and the self service branding icon not being passed down.
Anybody else have any insight into why blocking /api breaks VPP sync and also why there would be no errors logged in the reverse proxy?