Configuring a Generic IPSec Gateway in Jamf Security Cloud

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

If we do not offer specific instructions for your firewall, network gateway, or cloud provider vendor, but your equipment supports site-to-site IPSec VPN configurations, the following configuration steps will help you configure the Jamf Security Cloud-side of the VPN.

  1. In Jamf Security Cloud, navigate to Integrations > Access gateways.
  2. On the Dedicated gateways tab in the Dedicated IPSec gateways section, click Create gateway.
  3. Under Custom IPSec. click Create gateway.
  4. Under General, add the following:
    • IPSec nameA name that will appear for this connection in your access policies
    • IPSec network vendorThe networking equipment that will be used to connect to Jamf Security Cloud
    • VPN technical contact nameThe name of the individual deploying the interconnect gateway
    • VPN technical contact emailThe email address of the individual deploying the interconnect gateway
  5. Click Next.
  6. Under Provisioning, add the following:
    • Egress regionIndicate the region from which Jamf Security Cloud should initiate the IPSec tunnel. Typically this should be as close to the geographical location of your IPSec interconnect equipment as possible.
    • Jamf Security Cloud Cloud IPSec source IP addressesChoose from the following based on your network equipment's ability to support dynamic addressing:
      • Dynamic AddressingConnections will originate from any one of the IP addresses that belong to the particular Availability Zone; for example, 54.220.161.57 (Zone A) or 18.202.42.169 (Zone B).
      • Single IP AddressDefine the single IP Address from the menu that all IPSec traffic from Jamf Security Cloud will originate from for this interconnect. This option provides potentially lower availability, but may be required depending on your network equipment's capabilities.
  7. Click Next.
  8. Under Connectivity and Authentication:
    1. Add Your IPSec gateway IP address.

      This is the public IP address that will be listening for inbound IPSec connections from Jamf Security Cloud.

    2. Add Your IKE domain ID.

      This is a unique identifier used to identify and establish this IPSec tunnel. Generally this should be a fully qualified domain name, with a value such as jamf.mycompany.com. You must use this exact value in your side of the VPN configuration.

    3. (Optional) The Jamf Security Cloud IKE domain ID is set to wpa.wandera.com by default. If your router or firewall does not support the use of fully qualified domain names (FQDNs) as IPSec domain IDs, you must replace the default value with one of the Jamf Security Cloud Cloud IPSec source outbound IP addresses from the Provisioning step.
    4. Click Generate secret.
    5. Click Copy secret.

      This copies the authentication secret password, which is the pre-shared key (PSK) to be used for this IPSec security association.

    6. Paste the password into a secure location, such as a note in a password manager application.
    7. Check the box to confirm that you've saved the authentication secret password.
  9. Click Next.
  10. Under Proposals and Cyphers:
    1. Select a Key exchange protocol (Jamf strongly recommends that you use IKEv2 for maximum security, compatibility and performance).
    2. Modify the Phase 1 and Phase 2 configurations if required.

      You must match these configurations exactly on your side of the VPN tunnel configuration to avoid negotiation errors.

    3. Click Next.
  11. Under Encryption Domain:
    1. Define the Jamf Security Cloud subnet with the IP address picker.

      The picker limits available IPs to those in the Address Allocation for Private Internets (RFC1918) defined categories.

    2. Note the resulting Pingable ICMP test address that is generated.

      You can use this IP address to validate that the Jamf Security Cloud side of the tunnel is reachable from your side.

    3. Define Customer subnets.

      These are the network subnets (typically your application servers) in CIDR format that remote Jamf Trust users will be able to reach via this interconnect, provided their device is allowed by all Zero Trust policies. If you are unsure of the value to enter, or want to make all IPs routable via this tunnel, set this field to 0.0.0.0/0.

      Note:

      An Encryption Domain is the IP addresses (network subnets) at either end of the tunnel that should be encrypted and able to route to each other. These can be single hosts or multiple networks.

  12. Click Next, then review the VPN configuration details.
  13. Click Save and create.

After the configuration has been successfully configured, it will appear in the Dedicated IPSec gateways list view in Jamf Security Cloud.

To view detailed logs for a specific private gateway, navigate to Integrations > Access Gateways > (specific gateway) > Logs. These logs allow you to monitor the status of your IPsec connections and troubleshoot any issues in your environment.