Jamf Infrastructure Manager instance is a service managed by Jamf Pro that allows traffic to pass securely between Jamf Pro and an LDAP directory service. The Jamf Infrastructure Manager and the LDAP Proxy typically reside within the DMZ of your organization's network. Infrastructure Manager instances can be installed on Linux and Windows. For more information, see Installing a Jamf Infrastructure Manager Instance.
Note: This guide provides instructions on installing Infrastructure Manager for LDAP Proxy. For information on installing Infrastructure Manager for Healthcare Listener, see the Installing and Configuring the Healthcare Listener technical paper.
When your environment is hosted on Jamf Cloud, the necessary external IP addresses for Jamf Cloud must be allowed inbound to the Infrastructure Manager. Internal domain addresses (e.g., .local, .company, or .mybiz) are not supported. The Infrastructure Manager must be resolvable to the external Jamf Pro server.
When using the LDAP Proxy, the Jamf Infrastructure Manager can be customized for incoming TCP access on any available port. For Linux, port 1024 or greater must be used because lower-numbered ports are reserved for root services. The port used must be opened, inbound, both on your firewall and on the computer on which the Infrastructure Manager is installed. Configure inbound firewall rules on your connection and the Jamf Infrastructure Manager host's operating system to allow connections on this port only from Jamf Pro. Jamf Cloud customers should limit the source IP addresses to the list for their hosting region. For more information, see the Permitting Inbound/Outbound Traffic with Jamf Cloud Knowledge Base article.
Note: The Infrastructure Manager does not currently respect network proxy settings configured in the host operating system or in Java. As a result, the Infrastructure Manager must be enrolled with Jamf Pro and receive its initial configuration on a network that does not require connection via an outbound proxy. A firewall rule must be created to allow the Infrastructure Manager to connect to Jamf Pro without using an outbound proxy. This will allow the Infrastructure Manager to receive LDAP configuration updates and notify Jamf Pro that it is operational. If the rule is not implemented, the Infrastructure Manager will still be able to receive the inbound LDAP lookup requests from Jamf Pro.
For communication between the Infrastructure Manager and an LDAP directory service, your LDAP server’s regular incoming port is used. This port is specified in the LDAP server’s configuration in Jamf Pro. The most common configurations are port 389 for LDAP and port 636 for LDAPS. This communication occurs between the Infrastructure Manager in the DMZ and an internal LDAP directory service only.
The following diagram shows network communication with example ports between your LDAP directory service and Jamf Pro with the Infrastructure Manager installed:
Important: Jamf Infrastructure Manager 2.2.0 requires Jamf Pro 10.27.0 or later for environments with the Infrastructure Manager instance added as an LDAP proxy server.
For more information about network communication and the connections initiated between the Infrastructure Manager and Jamf Pro, see the Network Ports Used by Jamf Pro Knowledge Base article.