This weekend our firewalls were replaced with us moving from one vendor to another. This took a little longer than required due to some issues with rules & inside outside definitions, but my colleague was more than up to the challenge.
This change required our VPN config profile to be re-pushed, it seemed to work. But further testing revealed we had an issue.
We have a simple cluster for our JSS with one server “cloud” accessible in the DMZ & another on our WAN that is our master JSS, post firewall change I checked:
- Cluster was being seen within JSS.
- External JSS was contactable.
- Clients could enrol & get Config Profiles.
- DMZ could telnet Master JSS on port 3306 for MySQL.
- Both DMZ & Master JSS Macs could telnet the 3 addresses below on the ports given (from this Apple Tech Note).
telnet 1-courier.push.apple.com 5223
telnet gateway.sandbox.push.apple.com 2195
telnet gateway.push.apple.com 2195
Sadly I didn’t run a Recon externally, if i had i would’ve stumbled over the error:
Could not connect to the JSS. Status – 503
After a fair bit of checking & re-checking, I re-ran the JSS Installer on the DMZ server. This resolved the issue for me.
I’m guessing that as the DMZ lost connection with the Master JSS for a period of time, something had bombed out.
Below is a image of our cluster, to help you visualise our setup. If it happens again, I’ll attempt to delve deeper.