Implementing Cloud-enabled Management behind a load balancer
Last Updated March 19, 2015
CEM and load balancers:
Implementing Cloud-enabled Management (CEM) behind load balancers is not a supported configuration at this time.
For ITMS 7.6, please see HOWTO109667 "How to configure F5 BIG-IP Local Traffic Manager to work with the ITMS Cloud-enabled Management traffic?"
Questions regarding using Cloud-Enabled Management behind a load balancer:
It is worth mentioning that some customers have reported that they were able to configure this functionality by trial and error. However, as this is not a supported configuration with the current ITMS 7.1 or 7.5 SP1 versions, support is unable to assist with implementation.
Why won't the load balancer work with the Internet Gateway?
With regards to CEM any load balancer would act as a certificate proxy. Meaning that any traffic coming in via SSL to our CEM URL would have to first validate at the appliance using a signed machine certificate. The Gateway strictly uses a self signed certificate and all functionality is built between the agent at the endpoint and the gateway, this would not work. Traffic needs to past through and the handshake will need to be established at the gateway.
How do CEM gateways work?
The Internet Gateway serves SMA connections using the following process:
The SMA establishes a TCP connection to the Gateway.
The SMA and Gateway exchange SSL handshake messages.
The Gateway sends a Client Certificate Request message and validates the received certificate chain.
If certificate validation succeeds, the Gateway opens a TCP connection to the backend Notification Server.
From this point the Gateway act as a proxy(simply forwarding TCP packets between the SMA and NS).
The SMA and NS exchange SSL handshake messages inside the established SSL tunnel.
The NS also sends a Client Certificate Request message and validates the received certificate chain.
If certificate validation succeeds, the SMA is in a fully connected state and can send inventory, receive policies, etc.
This method encrypts TCP traffic twice.
Can we use a proxy between the agent and the gateway?
No, this is not currently supported with ITMS 7.5 and 7.5 SP1 releases.
Imported Document ID: HOWTO95238
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe