- Jamf Nation Community
- Products
- Jamf Pro
- JSS Behind Load Balancer
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
JSS Behind Load Balancer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-04-2012 02:00 AM
Hi All, has anyone implemented two or more JSS servers behind a http/s load balancer?
I have two JSS servers behind an F5 VIP and clients connect through the load balancer using HTTPS SSL certs. The issue that I am seeing is that Casper is picking up the IP of the load balancer and not the client in the inventory.
After some initial investigation I think I need the load balancer to provide an X-Forwarded-For header, the challenge here being that the HTTPS traffic would need to be decrypted to make this happen. The options I have are to terminate the SSL connection on the VIP and forward plain HTTP to the JSS servers or to decrypt and rencrypt the connection to provide an end to end SSL connection which I imagine would require the VIP to have both the public and private keys for the JSS servers.
Has anyone attempted this and can share how they implemented it?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-04-2012 08:12 AM
Yes, you need the X-Forwarded option for the clients to report the correct IP address. I would contact your JAMF rep regarding the specific issue/question you have. They have a team there that has done the load balancer set up so many times they can do it in their sleep, and will likely be able to help you figure out the best setup.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-04-2012 09:31 AM
If you're on a 172 internal network, you need to change some settings in the tomcat config to forward the IP correctly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-04-2012 03:58 PM
All we needed to do was configure the Remote IP Valve at the following:
Settings --> General Settings --> Server Configuration Tab --> TomCat Config Tab
Once this is configured they will report the correct IP address.
However, I will second contacting your account rep. for any clustering config questions/problems. They have been great.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-05-2012 05:58 AM
Im having the same problem.
I have checked the HTTP header and X-Forwarded-For: is in the header with the correct IP address for the client yet it still shows up in the JSS with the computers IP set to that of the Load Balancer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-06-2012 12:44 AM
I got the following advice from JAMF and it worked first time :)
http://blog.designed79.co.uk/?p=1276
I'm using the Load Balancer to do the SSL and I'm sending HTTP to the JSS clusters on port 9006.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-07-2012 06:44 AM
I'm using the Load Balancer to do the SSL and I'm sending HTTP to the JSS clusters on port 9006.
What about if you terminate SSL on the JSS, did you try this? I'm not sure our security team will be happy if the traffic between load balancer and JSS is plain HTTP as it can still be intercepted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-07-2012 06:55 AM
setup firewall rules on the jss only to accept traffic on port 9006 from the load balancer, and there should be no problem, eh?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-01-2013 12:59 PM
I can also confirm that you need to have the X-Forwarded-For option set for HTTP and SSL under Service Groups with the client IP box checked if you are using a NetScaler 5. Port groups we used are 8080 and 8443.
