We've recently gone from a few hundred to a few thousand devices, so we've needed to set up a clustered JSS that sits behind a load balancer. The load balancer is a 14.04 Ubuntu VM running pound, handles SSL decryption and has a few tomcat servers as backends on 9006.
That's all working great. The only issue I have is that now MDM / APN don't work. I've seen tons of advice on how MDM won't work behind a proxy, how it has to be set to go straight-through to 18.104.22.168/8, etc. I'd be happy to do whatever I need to do, I just don't know what that would be.
Does anyone have experience getting this to work?
I'm going to post my own solution here. I missed an easy step initially, and wasted a few hours. But if anyone else ever has a question about it.... Here's my /etc/pound/pound.cfg that passes traffic without blocking APNS.
Lesson learned, if you don't include " xHTTP 1" in the ListenHTTPS config, MDM/APNS fails.
ListenHTTPS Address testdev.company.edu Address employee.company.edu Address student.company.edu Port 8443 HeadRemove "X-Forwarded-For" Cert "/etc/pound/testdev.pem" Cert "/etc/pound/employee.pem" Cert "/etc/pound/student.pem" xHTTP 1 Service BackEnd Address 10.225.1.54 Port 9006 End BackEnd Address 10.225.1.55 Port 9006 End BackEnd Address 10.225.1.56 Port 9006 End Session Type Cookie ID "JSESSIONID" TTL 300 End End End
Although it is just over a year after you posted this, thank you for doing so! I would like to add a few additional notes for some of the latest changes involving Apple's App Transport Service (ATS) as well, as it was further hanging up our iOS portion of the environment.
As of now, 02AUG2016, the version of Pound hosted in the Ubuntu repositories is not the latest version. As such it does not support the latest ciphers required by ATS. We ended up having to download the source for Pound 2.7, compiling it, creating a new ECDH key during compilation, and installing it. Finally, we had to add the ciphers and SSL disable lines to our pound.cfg file. After that, everything works great for iOS and OS X.
ListenHTTP Address x.x.x.x Port 80 HeadRemove "X-Forward-For" Service Redirect "https://server.domain.com:8443" End End ListenHTTPS Address x.x.x.x Port 8443 HeadRemove "X-Forward-For" Cert "/etc/pound/certificate.pem" ## xHTTP 1 is required for APNS xHTTP 1 ## Disable SSLv3 and SSLv2 lines are required to block SSL ciphers while allowing TLS ciphers Disable SSLv3 Disable SSLv2 ## Ciphers are required to be defined per the Apple ATS standard. Without them ATS will not work. Ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" ## Backend services defined here Service BackEnd Address x.x.x.x Port 8080 End BackEnd Address x.x.x.x Port 8080 End BackEnd Address x.x.x.x Port 8080 End Session Type IP TTL 1000 End End End