Mobile Newsletter chat avatar. Mobile Newsletter chat subscribe. Prev NEXT. Computer Security. By: Jeff Tyson. Web site Online business FTP download and upload area. Cite This! Print Citation. Just saying… if this is the biggest concern, there are probably other security issues you might want to fix first.
The purpose of this post is just to share the overal thoughts and considerations you should make before committing to a specific setup, or the choice for an on-premise Jamf Pro installation over Jamf Cloud. There is however, like with most of the Jamf or general Mac management related questions, already some information about this on Jamf nation: Feature request , Discussion , ….
Last but not least, according to the Jamf recommendations for clustered setups, you should also enable Memcached which will become mandatory in future versions of Jamf Pro. See Jamf Pro Memcached. But there is, however, another way of doing things! And this brings us to Reverse Proxy. A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server, compared to a normal proxy, typically used to manage access from clients to multiple servers in the opposite direction.
The thing is, instead of deploying a second Jamf Pro DMZ server to securely provide access to Jamf Pro from outside the internal network, a reverse proxy might offer an alternative way of achieving this. Note: please be aware that the following setup is not the default or officially supported way of installing Jamf Pro and should not be blindly attempted in a production environment.
The idea here is to configure a reverse proxy which will handle all incoming requests from the internet inbound to the Jamf Pro server, which gives us multiple benefits:. Documenting, or discussing, in depth configurations of reverse proxies would bring me a bit to far off topic here, and is actually hardly possible looking at all the possible hardware and network configurations available to achieve this. I will most likely spend another blogpost on discussing my homelab test setup on this in one of my future posts.
When going for a clustered setup, with a Jamf Pro server in DMZ, we had the benefit of the built-in functionality to close down the web portal on the public facing DMZ server, to limit communication to the managed devices only. This allows the devices to contact the server for management tasks, but the web portal is not reachable from the browser.
Using strong admin passwords should provide enough security to avoid unauthorised access to your admin portal, but still, limited access provides an extra level of protection. The first option would be to limit the access to the admin console on a Tomcat level, by tweaking the web.
The second option involves clustering the internal Jamf Pro infrastructure. By adding an additional server, you can enable limited access to the Jamf Pro server the Reverse Proxy is redirecting the managed devices to, and use the additional server for the admin console.
There are tons of tools for configuring it and loads of GUIs you can chose. Generating them is pretty simple, the hardest part is keeping track of which key goes where. Hopefully the below example configuration files help make that clear. Personally I saved mine as wg0. You can change the IP address in my case Once you created your config files on both servers, run sudo systemctl enable wg-quick wg0.
We covered NAT-related issues, firewall rules, and firewall architectures. What firewall architecture should you use? Single Firewall Architecture Dual Firewall Architecture Obviously, the dual-firewall architecture is going to be more expensive and more complex to manage. How should you set your DMZ firewall rules? Here's a simplified diagram of the ideal traffic flow. Summary In this post, we talked about the things you would need to consider when setting up your DMZ's firewalls and reverse proxy server.
Looking for a reverse proxy? Get A Demo.
0コメント