Posted on 03-29-2017 08:19 AM
Trying to set up a zero-touch config for new out-of-box Macs sent to our remote users. This process fails at the bind, as our Domain Controller is behind our corporate VPN firewall.
Our network team is willing to create an ipsec end-point to reach the DC via an L2TP tunnel.
Does anyone have any experience in this area? Or any pointers/advice on how to get a tunnel up on the Mac side before the user logs in to the machine?
Any assistance is appreciated.
Thanks!
Posted on 03-30-2017 09:47 AM
We had the same requirement, using hosted JSS, and our security team was NOT going to poke a hole from external all that way into the Internal network to get to a DC. The workaround we used was with "VDS" (Virtual Directory Services), I think it is part of the Novell Identity suite. Basically lets you stand up an LDAP relay in the DMZ that has a very specific "view" of your internal AD domain/forest, with custom login info, etc. The Firewall is also set to only allow the traffic from our JSS host in jamfcloud.com, and it is read-only (though I suppose it could be r/w if that was needed, but it isn't in our current implementation).
So, that might be an option for you...not sure about standing up a L2TP tunnel, particularly in the setup wizard. I think Apple would have to enable that through some heavy changes to the DEP configurations.