Jamf Pro allows you to enable an LDAP Proxy. Enabling an LDAP Proxy creates a secure tunnel to allow traffic to pass between Jamf Pro and an LDAP directory service. For example, if your environment uses a firewall, an LDAP Proxy can be used to allow a directory service on an internal network to pass information securely between the directory service and Jamf Pro.
The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by Jamf Pro. After you install an instance of the Infrastructure Manager, Jamf Pro allows you to enable an LDAP Proxy if you have an LDAP server set up in Jamf Pro.
Note: The LDAP Proxy that is hosted on the Infrastructure Manager is not the same service as the open source NetBoot/SUS/LP server. For more information about the open source NetBoot/SUS/LP server, see the following webpage: https://github.com/jamf/NetSUS/tree/master/docs .
When using the LDAP Proxy, the Jamf Infrastructure Manager can be customized for incoming TCP access on any available port. For Linux, port 1024 or greater must be used because lower-numbered ports are reserved for root services. The port used must be opened, inbound, both on your firewall and on the computer on which the Infrastructure Manager is installed. Configure inbound firewall rules on your connection and the Jamf Infrastructure Manager host's operating system to allow connections on this port only from Jamf Pro. For Jamf Cloud-hosted environments, limit the source IP addresses to the list for their hosting region.
Note: The Infrastructure Manager does not currently respect network proxy settings configured in the host operating system or in Java. Therefore, the Infrastructure Manager must be enrolled with Jamf Pro and receive its initial configuration on a network that does not require connection via an outbound proxy. Unless a firewall rule is created to allow the Infrastructure Manager to connect to Jamf Pro without using an outbound proxy, the Infrastructure Manager will not receive LDAP configuration updates or be able to notify Jamf Pro that it is operational. It will still be able to receive the inbound LDAP lookup requests from Jamf Pro, however.
For communication between the Infrastructure Manager and an LDAP directory service, your LDAP server’s regular incoming port is used. This port is specified in the LDAP server’s configuration in Jamf Pro. The most common configurations are port 389 for LDAP and port 636 for LDAPS. This communication occurs between the Infrastructure Manager in the DMZ and an internal LDAP directory service only.
Note: Internal domain addresses (for example, .local, .company, or .mybiz) are not supported at this time. The Infrastructure Manager must be resolvable to the external Jamf Pro server.
Configuring the LDAP Proxy
To configure an LDAP Proxy, you need the following:
Log in to Jamf Pro.
In the top-right corner of the page, click Settings .
Click System Settings.
Click LDAP Servers .
Click the LDAP Server to which you want to assign an LDAP Proxy.
Click Edit .
Select the Enable LDAP Proxy checkbox.
Select the proxy server to use.
The proxy binding address is automatically populated based on the server you select.
Enter a port number.
Click Save .
For related information, see the following section in this guide:
Jamf Infrastructure Manager Instances
Learn more about the Jamf Infrastructure Manager.