VMware Identity Manager (vIDM) Cluster with HAProxy


I am trying to get HAProxy configured to balance client connections between my 3 vIDM nodes.

I am using vIDM version 3.3.5 and HAProxy version 2.4.9-1ppa1~bionic.

Has anyone managed to get this working with previously? If you have, could you offer any advice/config snippets?

Failing that, the VMware vIDM LB documentation offers the following ‘settings to configure’:

X-Forwarded-For Headers

You must enable X-Forwarded-For headers on your load balancer. VMware Identity Manager identifies the source IP address in the X-Forwarded-For headers and determines which authentication method to use based on the source IP address. See the documentation provided by your load balancer vendor for more information.

Load Balancer Timeout

For VMware Identity Manager to function correctly, you might need to increase the load balancer request timeout from the default. The value is set in minutes. If the timeout setting is too low, you might see this error, “502 error: The service is unavailable”.

Enable Sticky Sessions

You must enable the sticky session setting on the load balancer if your deployment has multiple VMware Identity Manager machines. The load balancer binds a user’s session to a specific instance.

WebSocket support

The load balancer must have WebSocket support to enable secure communication channels between connectors and the VMware Identity Manager nodes.

Ciphers with forward secrecy

Apple iOS App Transport Security requirements apply to the Workspace ONE app on iOS. To enable users to use the Workspace ONE app on iOS, the load balancer must have ciphers with forward secrecy. The following ciphers meet this requirement:


I can see that X-Forwarded-For Headers and Sticky Sessions are supported and I assume Load Balancer Timeout will be too; but does HAProxy support WebSockets? I am not planning on using any Apple iOS devices; so support for Forward Secrecy is moot.

Many Thanks