I highly recommend simplifying your setup first before layering on complexity. If MDM enrollment and authentication aren’t working, the issue is likely tied to server naming inconsistencies or certificate issues. MDM is extremely sensitive to server names and certificates, and if they aren’t right, nothing will function correctly.

Start simple, get it working, then scale up.

@sana_nuevo Some thoughts that immediately come to mind from your post:

The image you posted for you environment configuration is too lo-res to be legible, please post something readable if you'd like others to review it.

Your statement "one Server with Jamf Pro and Jamf database as a primary server (Tomcat & MySQL ) and one more windows server which has Jamf Pro Database ( mySQL)" doesn't make sense as you wouldn't have two separate MySQL servers (at least not when I used to run on-prem clusters).

To confirm, "offload encrypted traffic" means you're dropping encryption at the load balancer? That would be recommended. The public DNS for, and the SSL cert on, your load balancer should match your JSS URL (use a SAN entry in the cert for the actual load balancer name) and the JSS SSL certificate installed on all of your nodes.

Dear @sdagley In the statement I mean to say that the Primary JamF Pro server has both Tomcat and mysql running as primary tomcat & database and the other server is having its replica only. So we are synching the Primary JamF Pro database to other one.

Also attaching the high res diagram for you and others to check.

thanks @sdagley for taking out time.

@sana_nuevo Thanks for the clearer architecture diagram. It's been about 5 years since I've built a Jamf Pro on-prem cluster so the memories are fading but here's some more questions/comments:

• I don't see any demarcation of DMZ and internal networks in that drawing. Are all of those servers internal and your load balancer is the passthrough for your firewall?


• Your load balancer should only be fronting the child JSS nodes, and the primary JSS should only be accessible inside your network.


• You're only showing a DP exposed to the external network. What's the DP for the internal network?


• Do you have split DNS set up so your JSS URL resolves to the load balancer from external networks and to your primary JSS on the internal network?

Dear @sdagley you ae correct in sense that there is no DMZ all servers are on LAN and behind load balancer and load balancer is pass-through the traffic from cloudfare WAF.
We have split DNS setup ( mdm.nuevo.com ) which resolve the load balancer IP for external clients and when we do nslookup from LAN it resolves the internal nodes ( both child and primary) IP through DNS Round Robin.

@sana_nuevo I would not recommend that you have your child and primary nodes in a DNS Round Robin internally. Try having only your primary respond to mdm.nuevo.com internally and see if you're able to connect then.

Thanks @sdagley finally I am able to get my setup up and running. But the challenge was with the network team they still are not able to offload ssl on load balancer, so I did install public trusted certificate on all three nodes ( one primary and two child nodes ) also I have I only my primary node responding to mdm.nuevo.com.