Help

Jamf On-premise setup behind load balancer

Go to solution
sana_nuevo
New Contributor II

Posted on ‎03-01-2025 02:42 AM

Dear Jamf experts,

I need your support to get my on-prem Jamf Pro infrastructure correctly setup.

I have Two windows 2022 server installed with Tomcat web app 

for Jamf Pro as a child node ( cluster ) behind load balancer and one Server with Jamf Pro and Jamf database as a primary server (Tomcat & MySQL ) and one more windows server which has Jamf Pro Database ( mySQL). All three servers are in cluster with memcached installed on ubuntu. On load balancer we have placed child node behind that and I have used public trusted SSL on load balancer to offload encrypted traffic, I have used publicly resolvable DNS name on load balancer ( like mdm.public.com ) but I have used diffenrent Jamf Pro Url on Jamf Pro setting under global setting like (mdm.private.com). and used Jamf Pro CA signed SSL for Primary server with CN Name mdm.private.com


My issues are two.

1- I am not able to enroll any device no matter I am in public network or private network
2- I am not able to login in Jamf Pro console from internet as the error is "invalid Information Provided" though I know the username and password is correct.

@rocketman 

image.png

 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
sdagley
Esteemed Contributor II
In response to sana_nuevo

Posted on ‎03-07-2025 05:22 AM

@sana_nuevo I would not recommend that you have your child and primary nodes in a DNS Round Robin internally. Try having only your primary respond to mdm.nuevo.com internally and see if you're able to connect then.

View solution in original post

0 Kudos
Reply
7 REPLIES 7

Go to solution
AJPinto
Esteemed Contributor

Posted on ‎03-01-2025 07:15 AM

I highly recommend simplifying your setup first before layering on complexity. If MDM enrollment and authentication aren’t working, the issue is likely tied to server naming inconsistencies or certificate issues. MDM is extremely sensitive to server names and certificates, and if they aren’t right, nothing will function correctly.

 

Start simple, get it working, then scale up.

0 Kudos
Reply

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎03-02-2025 01:59 PM

@sana_nuevo Some thoughts that immediately come to mind from your post:

The image you posted for you environment configuration is too lo-res to be legible, please post something readable if you'd like others to review it.

Your statement "one Server with Jamf Pro and Jamf database as a primary server (Tomcat & MySQL ) and one more windows server which has Jamf Pro Database ( mySQL)" doesn't make sense as you wouldn't have two separate MySQL servers (at least not when I used to run on-prem clusters).

To confirm, "offload encrypted traffic" means you're dropping encryption at the load balancer? That would be recommended. The public DNS for, and the SSL cert on, your load balancer should match your JSS URL (use a SAN entry in the cert for the actual load balancer name) and the JSS SSL certificate installed on all of your nodes.

0 Kudos
Reply

Go to solution
sana_nuevo
New Contributor II

Posted on ‎03-06-2025 05:35 AM

Dear @sdagley In the statement I mean to say that the Primary JamF Pro server has both Tomcat and mysql running as primary tomcat & database and the other server is having its replica only. So we are synching the Primary JamF Pro database to other one.

Also attaching the high res diagram for you and others to check.Screenshot 2025-03-06 at 4.29.30 PM.png

 



thanks @sdagley for taking out time.

0 Kudos
Reply

Go to solution
sdagley
Esteemed Contributor II
In response to sana_nuevo

Posted on ‎03-06-2025 12:54 PM

@sana_nuevo Thanks for the clearer architecture diagram. It's been about 5 years since I've built a Jamf Pro on-prem cluster so the memories are fading but here's some more questions/comments:

  • I don't see any demarcation of DMZ and internal networks in that drawing. Are all of those servers internal and your load balancer is the passthrough for your firewall?
  • Your load balancer should only be fronting the child JSS nodes, and the primary JSS should only be accessible inside your network.
  • You're only showing a DP exposed to the external network. What's the DP for the internal network?
  • Do you have split DNS set up so your JSS URL resolves to the load balancer from external networks and to your primary JSS on the internal network?
0 Kudos
Reply

Go to solution
sana_nuevo
New Contributor II

Posted on ‎03-06-2025 08:36 PM

Dear @sdagley you ae correct in sense that there is no DMZ all servers are on LAN and behind load balancer and load balancer is pass-through the traffic from cloudfare WAF.
We have split DNS setup ( mdm.nuevo.com ) which resolve the load balancer IP for external clients and when we do nslookup from LAN it resolves the internal nodes ( both child and primary) IP through DNS Round Robin.

0 Kudos
Reply

Go to solution
sdagley
Esteemed Contributor II
In response to sana_nuevo

Posted on ‎03-07-2025 05:22 AM

@sana_nuevo I would not recommend that you have your child and primary nodes in a DNS Round Robin internally. Try having only your primary respond to mdm.nuevo.com internally and see if you're able to connect then.

0 Kudos
Reply

Go to solution
sana_nuevo
New Contributor II
In response to sdagley

Wednesday

Thanks @sdagley finally I am able to get my setup up and running. But the challenge was with the network team they still are not able to offload ssl on load balancer, so I did install public trusted certificate on all three nodes ( one primary and two child nodes ) also I have I only my primary node responding to mdm.nuevo.com.

 

Reply