Jamf Pro allows you to enable an LDAP Proxy. Enabling an LDAP Proxy creates a secure tunnel to allow traffic to pass between Jamf Pro and an LDAP directory service. For example, if your environment uses a firewall, an LDAP Proxy can be used to allow a directory service on an internal network to pass information securely between the directory service and Jamf Pro.
The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by Jamf Pro. After you install an instance of the Infrastructure Manager, Jamf Pro allows you to enable an LDAP Proxy if you have an LDAP server set up in Jamf Pro. For more information, see Jamf Infrastructure Manager Instances.
Note: The LDAP Proxy that is hosted on the Infrastructure Manager is not the same service as the open source NetBoot/SUS/LP server. For more information about the open source NetBoot/SUS/LP server, see the following webpage: https://github.com/jamf/NetSUS/tree/master/docs .
When using the LDAP Proxy, the Jamf Infrastructure Manager can be customized for incoming access by any available port 1024 or greater. The port used must be opened, inbound, on your firewall and also on the computer on which the Infrastructure Manager is installed. The recommended port is 8389 for communication between your Jamf Pro server and the Infrastructure Manager.
Note: The Infrastructure Manager does not currently respect network proxy settings configured in the host operating system or in Java. Therefore, the Infrastructure Manager must be enrolled with Jamf Pro and receive its initial configuration on a network that does not require connection via an outbound proxy. Unless a firewall rule is created to allow the Infrastructure Manager to connect to Jamf Pro without using an outbound proxy, the Infrastructure Manager will not receive LDAP configuration updates or be able to notify Jamf Pro that it is operational. It will still be able to receive the inbound LDAP lookup requests from Jamf Pro, however.
For communication between the Infrastructure Manager and an LDAP directory service, your LDAP server’s regular incoming port is used. This port is specified in the LDAP server’s configuration in Jamf Pro. The most common configurations are port 389 for LDAP and port 636 for LDAPS. This communication occurs between the Infrastructure Manager in the DMZ and an internal LDAP directory service only.
Note: If your environment is hosted in Jamf Cloud and uses Network Address Translation (NAT), you can configure the Jamf Infrastructure Manager to ensure successful communication between the Infrastructure Manager and Jamf Pro. For more information, see the Configuring the Jamf Infrastructure Manager to Use Network Address Translation (NAT) Knowledge Base article.
When using Jamf Pro hosted on Jamf Cloud, the necessary external IP addresses for Jamf Cloud must be allowed inbound to the Infrastructure Manager. For more information, see the Permitting Inbound/Outbound Traffic with Jamf Cloud Knowledge Base article.
Note: Internal domain addresses (for example, .local, .company, or .mybiz) are not supported at this time. The Infrastructure Manager must be resolvable to the external Jamf Pro server.
For more information about network communication and the connections initiated between the Infrastructure Manager and Jamf Pro, see the Network Ports Used by Jamf Pro Knowledge Base article.
To configure an LDAP Proxy, you need the following:
Configuring the LDAP Proxy
Log in to Jamf Pro.
In the top-right corner of the page, click Settings .
Click System Settings.
Click LDAP Servers .
Click the LDAP Server to which you want to assign an LDAP Proxy.
Click Edit .
Select the Enable LDAP Proxy checkbox.
Select the proxy server to use.
The proxy binding address is automatically populated based on the server you select.
Enter a port number.
Click Save .