@kerouak Here's where the Jamf CJA/350 would be a handy course to still have available. There's no one size fits all answer, but here's a few suggestions I'll toss out:
If you have 3 JSS hosts I'd use one for a management console, and put the other two behind the load balancer for client connections (and how do you have your 3 JSS' configured currently)
Terminate SSL at the load balancer - better performance unless you have some requirement that inter-server traffic is encrypted
You need some persistence as the connection between client Macs and the JSS will be open for few seconds on a regular checkin, and longer when there's a policy being executed.
Hopefully your existing JSS isn't using a self-signed Tomcat cert, and your JSS URL is something like https://jss.orgname.edu:8443/ as if it's https://someservername/orgname.edu:8443/ you're going to have loads of fun re-enrolling your machines with your new Jamf Pro configuration.
