The Jamf Software Server (JSS) allows you to enable an LDAP Proxy. Enabling an LDAP Proxy creates a secure tunnel to allow traffic to pass between a JSS and an LDAP directory service. For example, if your environment uses a firewall, an LDAP Proxy can be used to allow a directory service on an internal network to pass information securely between the directory service and the JSS.
The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by the JSS. After you install an instance of the Infrastructure Manager, the JSS allows you to enable an LDAP Proxy if you have an LDAP server set up in the JSS. For more information, see Jamf Infrastructure Manager Instances.
Note: The LDAP Proxy that is hosted on the Infrastructure Manager is not the same service as the open source NetBoot/SUS/LP server. For more information about the open source NetBoot/SUS/LP server, see the following webpage:
When using the LDAP Proxy, the Jamf Infrastructure Manager can be customized for incoming access by any available port 1024 or greater. The port used must be opened, inbound, on your firewall and also on the computer on which the Infrastructure Manager is installed. The recommended port is 8389 for communication between your JSS and the Infrastructure Manager.
For communication between the Infrastructure Manager and an LDAP directory service, your LDAP server’s regular incoming port is used. This port is specified in the LDAP server’s configuration in the JSS. The most common configurations are port 389 for LDAP and port 636 for LDAPS. This communication occurs between the Infrastructure Manager in the DMZ and an internal LDAP directory service only.
Note: The Infrastructure Manager does not support Network Address Translation (NAT).
When using the JSS hosted on Jamf Cloud, the necessary external IP addresses for Jamf Cloud must be allowed inbound to the Infrastructure Manager. For more information, see the Permitting Inbound/Outbound Traffic with Jamf Cloud Knowledge Base article.
Note: Internal domain addresses (for example, .local, .company, or .mybiz) are not supported at this time. The Infrastructure Manager must be resolvable to the external JSS server.
To configure an LDAP Proxy, you need the following:
Configuring the LDAP Proxy
Log in to the JSS with a web browser.
In the top-right corner of the page, click Settings .
Click System Settings.
Click LDAP Servers .
Click the LDAP Server to which you want to assign an LDAP Proxy.
Select the Enable LDAP Proxy checkbox.
Select the proxy server to use and enter a port number.