Skip to main content
Solved

Jamf On-premise setup behind load balancer

  • March 1, 2025
  • 7 replies
  • 30 views
S
Forum|alt.badge.img+3

Dear Jamf experts,

I need your support to get my on-prem Jamf Pro infrastructure correctly setup.

I have Two windows 2022 server installed with Tomcat web app 

for Jamf Pro as a child node ( cluster ) behind load balancer and one Server with Jamf Pro and Jamf database as a primary server (Tomcat & MySQL ) and one more windows server which has Jamf Pro Database ( mySQL). All three servers are in cluster with memcached installed on ubuntu. On load balancer we have placed child node behind that and I have used public trusted SSL on load balancer to offload encrypted traffic, I have used publicly resolvable DNS name on load balancer ( like mdm.public.com ) but I have used diffenrent Jamf Pro Url on Jamf Pro setting under global setting like (mdm.private.com). and used Jamf Pro CA signed SSL for Primary server with CN Name mdm.private.com


My issues are two.

1- I am not able to enroll any device no matter I am in public network or private network
2- I am not able to login in Jamf Pro console from internet as the error is "invalid Information Provided" though I know the username and password is correct.

@rocketman 

 

 

 

Best answer by sdagley

Dear @sdagley you ae correct in sense that there is no DMZ all servers are on LAN and behind load balancer and load balancer is pass-through the traffic from cloudfare WAF.
We have split DNS setup ( mdm.nuevo.com ) which resolve the load balancer IP for external clients and when we do nslookup from LAN it resolves the internal nodes ( both child and primary) IP through DNS Round Robin.


@sana_nuevo I would not recommend that you have your child and primary nodes in a DNS Round Robin internally. Try having only your primary respond to mdm.nuevo.com internally and see if you're able to connect then.

    7 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • March 1, 2025

    I highly recommend simplifying your setup first before layering on complexity. If MDM enrollment and authentication aren’t working, the issue is likely tied to server naming inconsistencies or certificate issues. MDM is extremely sensitive to server names and certificates, and if they aren’t right, nothing will function correctly.

     

    Start simple, get it working, then scale up.

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • March 2, 2025

    @sana_nuevo Some thoughts that immediately come to mind from your post:

    The image you posted for you environment configuration is too lo-res to be legible, please post something readable if you'd like others to review it.

    Your statement "one Server with Jamf Pro and Jamf database as a primary server (Tomcat & MySQL ) and one more windows server which has Jamf Pro Database ( mySQL)" doesn't make sense as you wouldn't have two separate MySQL servers (at least not when I used to run on-prem clusters).

    To confirm, "offload encrypted traffic" means you're dropping encryption at the load balancer? That would be recommended. The public DNS for, and the SSL cert on, your load balancer should match your JSS URL (use a SAN entry in the cert for the actual load balancer name) and the JSS SSL certificate installed on all of your nodes.

    S
    Forum|alt.badge.img+3
    • sana_nuevo
    • Author
    • New Contributor
    • March 6, 2025

    Dear @sdagley In the statement I mean to say that the Primary JamF Pro server has both Tomcat and mysql running as primary tomcat & database and the other server is having its replica only. So we are synching the Primary JamF Pro database to other one.

    Also attaching the high res diagram for you and others to check.

     



    thanks @sdagley for taking out time.

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • March 6, 2025

    Dear @sdagley In the statement I mean to say that the Primary JamF Pro server has both Tomcat and mysql running as primary tomcat & database and the other server is having its replica only. So we are synching the Primary JamF Pro database to other one.

    Also attaching the high res diagram for you and others to check.

     



    thanks @sdagley for taking out time.


    @sana_nuevo Thanks for the clearer architecture diagram. It's been about 5 years since I've built a Jamf Pro on-prem cluster so the memories are fading but here's some more questions/comments:

    • I don't see any demarcation of DMZ and internal networks in that drawing. Are all of those servers internal and your load balancer is the passthrough for your firewall?
    • Your load balancer should only be fronting the child JSS nodes, and the primary JSS should only be accessible inside your network.
    • You're only showing a DP exposed to the external network. What's the DP for the internal network?
    • Do you have split DNS set up so your JSS URL resolves to the load balancer from external networks and to your primary JSS on the internal network?
    S
    Forum|alt.badge.img+3
    • sana_nuevo
    • Author
    • New Contributor
    • March 7, 2025

    Dear @sdagley you ae correct in sense that there is no DMZ all servers are on LAN and behind load balancer and load balancer is pass-through the traffic from cloudfare WAF.
    We have split DNS setup ( mdm.nuevo.com ) which resolve the load balancer IP for external clients and when we do nslookup from LAN it resolves the internal nodes ( both child and primary) IP through DNS Round Robin.

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • Answer
    • March 7, 2025

    Dear @sdagley you ae correct in sense that there is no DMZ all servers are on LAN and behind load balancer and load balancer is pass-through the traffic from cloudfare WAF.
    We have split DNS setup ( mdm.nuevo.com ) which resolve the load balancer IP for external clients and when we do nslookup from LAN it resolves the internal nodes ( both child and primary) IP through DNS Round Robin.


    @sana_nuevo I would not recommend that you have your child and primary nodes in a DNS Round Robin internally. Try having only your primary respond to mdm.nuevo.com internally and see if you're able to connect then.

    S
    Forum|alt.badge.img+3
    • sana_nuevo
    • Author
    • New Contributor
    • April 10, 2025

    @sana_nuevo I would not recommend that you have your child and primary nodes in a DNS Round Robin internally. Try having only your primary respond to mdm.nuevo.com internally and see if you're able to connect then.


    Thanks @sdagley finally I am able to get my setup up and running. But the challenge was with the network team they still are not able to offload ssl on load balancer, so I did install public trusted certificate on all three nodes ( one primary and two child nodes ) also I have I only my primary node responding to mdm.nuevo.com.

     

    sdagley
    Terms & ConditionsCookie settingsAccessibility statement