Step 1: Configuring a Gateway in Jamf Security Cloud

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
  1. In Jamf Security Cloud, navigate to Integrations > Access gateways.
  2. On the Dedicated gateways tab in the Dedicated IPSec gateways section, click Create gateway.
  3. Under Custom IPSec, click Create gateway.
    Note:

    The quick connect option requires fewer configuration steps. If you have advanced VPN requirements, you can create a custom IPSec interconnect instead.

  4. In the Create Custom IPsec panel, enter the required information in the following fields:
    1. IPSec name (used when selecting a routing destination within your access policies)

    2. IPsec Network Vendor

    3. VPN Technical Contact Name

    4. VPN Technical Contact Email

    5. Click Next.
  5. In the Provisioning section, perform the following:
    1. In the Egress Region menu, select the global Jamf datacenter from where this interconnect is provisioned.
      Note:

      The selected region should be in a close as possible locale to your cloud infrastructure region.

    2. In the Jamf Security Cloud IPSec Source IP Addresses section, click Single IP address.

    3. In the IP Address field, enter the address.

      Note:

      Save the IP address in a secure location for a later step when configuring the cloud infrastructure side of the tunnel.

  6. In the Connectivity and Authentication section, perform the following:
    1. In the Your IPSec gateway IP address field, enter a random temporary IP address. For example, 1.2.3.4
      Note:

      This IP address is changed when your cloud infrastructure assigns you an IP address on their side in a later step.

    2. Click the following:

      1. Generate secret

      2. Copy secret

    3. Paste the password in a secure location, such as a note in a password manager.

    4. Select the I have saved the authentication secret. It will not be displayed here in the future. checkbox.
      Note:

      You can change the shared secret in the future but cannot view it for security purposes.

    5. Click Next.

  7. In the Proposals and Cyphers section, complete the following fields:
    Key exchange protocol
    IKEv2
    Phase 1 encryption
    AES-256
    Phase 2 encryption
    AES-256
    Phase 1 integrity
    SHA-256
    Phase 2 integrity
    SHA-256
    Phase 1 Diffie-Hellman Groups
    Group 14 (mod2048)
    Phase 2 Diffie-Hellman Groups
    Group 14 (mod2048)
    Phase 1 Security Association (SA) lifetime
    28800
    Child Security Association (SA) lifetime
    28800
    Note:

    If your organization has specific encryption and cipher requirements, modify the above settings accordingly in addition to modifying your Google VPN settings when setting up that side of the tunnel.

  8. Click Next.
  9. In the Encryption Domain section, perform the following:
    1. In the Jamf Security Cloud Side section, using the five Jamf Security Cloud Subnet pop-up fields, select an IP range within the RFC 1918 (Address Allocation for Private Internets) defined range of addresses.
      Note:Jamf suggests the 192.168.233.0/24 range, provided that it isn't already defined elsewhere in your network.
      In the Encryption Domain section, you can use the IP address in the Last IP from range (Pingable ICMP Test Address) field to validate that the Jamf side of the tunnel is accessible via your Cisco IOS equipment.
      Note:Internet Control Message Protocol (ICMP)
    2. In the Customer Side section, define the Customer Subnets by clicking Add.
    3. Enter the following information:
      1. IPs and subnets
      2. First address
      3. Last address

      These are the network subnets (typically your application servers) in classless inter-domain routing (CIDR) format that enable remote Jamf Trust users ro access this interconnect, provided that their device is allowed by all Zero Trust policies. If you are unsure or want to make all IPs routable via this tunnel, set this field to 0.0.0.0/0.

      Note:

      Encryption domains are the IP addresses (network subnets) at either end of the tunnel that should be encrypted and able to route to each other. These can be single hosts or multiple networks.

    4. Click Next.
  10. Verify all configurations are correct, then click Save and create.
    The new gateway is displayed on the Dedicated gateways tab.
  11. Click the name of the new gateway to reference the gateway details in the following steps.
The VPN route is now created on the Jamf side of the gateway.