Load Balancer questions

lehmanp00
Contributor III

We have 2 JSS servers that we plan on load balancing this summer. Both use their self-signed cert.

On the Load Balancer, do we need to install each JSS server's self-signed cert? Just one?

For DNS, I'm thinking we CNAME the JSS Master to the load balancer IP? Then the LB distributes traffic between the 2 JSS servers as needed?

6 REPLIES 6

blackholemac
Valued Contributor III

The Balancer should have it's own cert that covers the URL that clients/devices will see. (The official JSS URL for your cluster.)

lehmanp00
Contributor III

Both JSS's have individual self-signed certs that point to a the same CNAME. So can we have 3 different certs, that all point to the CNAME? Or if the LB takes on the CNAME does the certs on the JSS's not matter anymore?

blackholemac
Valued Contributor III

Th way we did it was to assign unique host names to all the backends (we did add a unique CNAME record to them but that was for our internal reference, not for function). We then pointed each to the database server and activated clustering in the JSS. Finally we assigned the official JSS URL to the balancer. We did assign unique cert to each but in theory you could terminate ssl at the load balancer.

Much more to it than that . I recommend the CJA class whole-heartedly.

lehmanp00
Contributor III

This is starting to make sense now! We are thinking of buying a 3rd-party cert, with our JSS URL on it, giving the LB that cert and name and then terminating SSL there. At that point the client comms with the JSS's should be HTTP and their certs shouldn't interfere.

blackholemac
Valued Contributor III

Your understanding is close...but not quite I think. Definitely the 3rd party cert is the way to go...to head off some other strange issues and because I recommend getting yourself a wildcard cert personally. It has helped me on my cluster. In the spirit of openness of my posting, I have had some say that you should generate public/private key pairs on each server. Hardened security would probably lean more toward that.

So where your understanding is not quite there I believe is that the clients/load balancer communicate with each over https/port 8443, the load balancer and the Tomcat backends do not necessarily need to communicate on 8443. You could do that and set up individual certs on each Tomcat backend and do all traffic over 8443, but you could also terminate ssl (8443) at the load balancer and have it communicate with the Tomcat backends on http/port 8080. That is between your infrastructure guys and security team which way to go.

I am going to give you a good diving off point on clustering
http://docs.jamf.com/9.98/casper-suite/jss-install-guide-windows/Clustering.html
or
http://docs.jamf.com/9.98/casper-suite/jss-install-guide-linux/Clustering.html

I'll be honest, I really hope you read thoroughly if not already as there are a lot of ways to get it wrong if not totally prepared for such a migration. About 1.5 years ago, I had ZERO knowledge of clustering/load balancing and got hit with traffic overload due to my lack of knowledge. I have since sat through the CJA and properly implemented (as best as I know how with my class knowledge and JAMF buddy's overlooking) a 5 member cluster and love sharing our story if interested. I'm hoping to share it at JNUC this year as the whole experience was eye opening and a true learning experience. Anyway, feel free to post your deliberations and whatnot as there I know there are folks here who have done this migration as well as myself.

gmorgan
New Contributor III

I have a question as I am about to also be thrown to the wolves with little/no understanding of the underpinnings of the jssweb cluster and load balancing.  You mentioned "CJA".  What is that and is it easy to get access to?