How to configure MDM / APN behind load balancer (pound)

chlaird
Contributor

We've recently gone from a few hundred to a few thousand devices, so we've needed to set up a clustered JSS that sits behind a load balancer. The load balancer is a 14.04 Ubuntu VM running pound, handles SSL decryption and has a few tomcat servers as backends on 9006.

That's all working great. The only issue I have is that now MDM / APN don't work. I've seen tons of advice on how MDM won't work behind a proxy, how it has to be set to go straight-through to 17.0.0.0/8, etc. I'd be happy to do whatever I need to do, I just don't know what that would be.

Does anyone have experience getting this to work?

2 REPLIES 2

chlaird
Contributor

I'm going to post my own solution here. I missed an easy step initially, and wasted a few hours. But if anyone else ever has a question about it.... Here's my /etc/pound/pound.cfg that passes traffic without blocking APNS.
Lesson learned, if you don't include " xHTTP 1" in the ListenHTTPS config, MDM/APNS fails.

ListenHTTPS Address testdev.company.edu Address employee.company.edu Address student.company.edu Port 8443 HeadRemove "X-Forwarded-For" Cert "/etc/pound/testdev.pem" Cert "/etc/pound/employee.pem" Cert "/etc/pound/student.pem" xHTTP 1 Service BackEnd Address 10.225.1.54 Port 9006 End BackEnd Address 10.225.1.55 Port 9006 End BackEnd Address 10.225.1.56 Port 9006 End Session Type Cookie ID "JSESSIONID" TTL 300 End End End

rhuss
New Contributor

Chris,

Although it is just over a year after you posted this, thank you for doing so! I would like to add a few additional notes for some of the latest changes involving Apple's App Transport Service (ATS) as well, as it was further hanging up our iOS portion of the environment.

As of now, 02AUG2016, the version of Pound hosted in the Ubuntu repositories is not the latest version. As such it does not support the latest ciphers required by ATS. We ended up having to download the source for Pound 2.7, compiling it, creating a new ECDH key during compilation, and installing it. Finally, we had to add the ciphers and SSL disable lines to our pound.cfg file. After that, everything works great for iOS and OS X.

ListenHTTP
    Address x.x.x.x
    Port    80
    HeadRemove "X-Forward-For"
    Service
        Redirect    "https://server.domain.com:8443"
    End
End

ListenHTTPS
    Address x.x.x.x
    Port    8443
    HeadRemove "X-Forward-For"
    Cert "/etc/pound/certificate.pem"

  ## xHTTP 1 is required for APNS

    xHTTP 1

  ## Disable SSLv3 and SSLv2 lines are required to block SSL ciphers while allowing TLS ciphers

    Disable SSLv3
    Disable SSLv2

  ## Ciphers are required to be defined per the Apple ATS standard. Without them ATS will not work.

    Ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

  ## Backend services defined here

    Service
        BackEnd
            Address x.x.x.x
            Port    8080
        End
        BackEnd
            Address x.x.x.x
            Port    8080
        End
        BackEnd
            Address x.x.x.x
            Port    8080
        End
        Session
            Type IP
            TTL 1000
        End
    End
End