Help

Load Balancing ADCS

k3vmo
Contributor II

Posted on ‎10-25-2022 09:10 AM

I suspect many of you in an enterprise environment are required to run N+1 like I am.   I'm yet to find anything specific indicating whether you can run the ADCS connector and do load balancing via DNS.  Does anyone have a setup for two (or more) ADCS Connectors?

0 Kudos
6 REPLIES 6

bradtchapman
Valued Contributor II

‎10-25-2022 04:26 PM - edited ‎10-25-2022 04:28 PM

Are you required to run with an extra server for load balancing, or to support actual 24/7 seamless failover?  Would you prefer not to use hot/cold spares if you had to be awakened at 3:00 AM by a server alarm?

In short, you should be able to do this.  The LB would need to pass the SSL/TLS traffic unimpeded, and the target nodes behind the LB would both have to present the same server certificate in order to masquerade as "adcs-jamf-proxy.pretendco.com" .  

Timing is critical.  As we're discovering in our ADCS implementation, Jamf allows up to 15 minutes for the certificate request to die.  Using Wireshark on the ADCS Proxy server, I monitored the traffic between Jamf, the proxy, and the ADCS PKI servers for an hour while attempting different requests.  After the first attempt is sent, Jamf tries every 120 seconds to pull a cert... until 15 minutes have elapsed.  It's a short burst of DCOM requests on random high-numbered ports — this all happens behind the LB, between your proxy and PKI infrastructure.  

Therefore, your load balancer must keep the client connection open at least that long to permit the PKI / ADCS servers enough time to send a certificate (or rejected the request).  

Having said all that... the actual request time is only a couple of seconds for ADCS.  There's no need for load balancing unless you've stress tested it and found that one server is inadequate.

 

0 Kudos

k3vmo
Contributor II
In response to bradtchapman

Posted on ‎08-10-2023 05:42 AM

@bradtchapman Suggestions on how I can try different requests - The idea of using multiple systems isn't an option at the moment - are you talking about scoping and removing the same system?   What if in the event I don't have access to remove the issued certificate from the CA?  There's another team that manages it.  Can I do something other than scope a profile?  Grateful!

0 Kudos

k3vmo
Contributor II

Posted on ‎10-26-2022 09:33 AM

@bradtchapman  It's a healthcare org, so R2 is required.  I'd prefer not to have to manage a second, but ... 

If I leave the primary as the active host from the F5 and only configure to failover in the event the primary isn't available - would I need anything else fancy short of ensuring the SSL traffic is passed properly?

0 Kudos

bradtchapman
Valued Contributor II
In response to k3vmo

Posted on ‎10-28-2022 01:56 PM

Yep.  Just make sure the F5 is passing traffic transparently; no termination / decryption.

0 Kudos

Ashok_A
New Contributor III

‎03-23-2023 01:12 PM - edited ‎04-22-2023 12:48 AM

-

Best Regards,
Ashok Amirthalingam
Linkedin: https://www.linkedin.com/in/ashokamirthalingam/
0 Kudos

bradtchapman
Valued Contributor II
In response to Ashok_A

‎04-06-2023 06:20 PM - edited ‎04-06-2023 06:21 PM

I am not Jamf Support or an application integrator.  This is a community forum with people who share their knowledge and expertise without any warranty, express or implied.  If you require mission critical information to deploy this correctly, contact Jamf and engage Professional Services.