I am trying to get HAProxy configured to balance client connections between my 3 vIDM nodes.
I am using vIDM version 3.3.5 and HAProxy version 2.4.9-1ppa1~bionic.
Has anyone managed to get this working with previously? If you have, could you offer any advice/config snippets?
Failing that, the VMware vIDM LB documentation offers the following ‘settings to configure’:
You must enable X-Forwarded-For headers on your load balancer. VMware Identity Manager identifies the source IP address in the X-Forwarded-For headers and determines which authentication method to use based on the source IP address. See the documentation provided by your load balancer vendor for more information.
Load Balancer Timeout
For VMware Identity Manager to function correctly, you might need to increase the load balancer request timeout from the default. The value is set in minutes. If the timeout setting is too low, you might see this error, “502 error: The service is unavailable”.
Enable Sticky Sessions
You must enable the sticky session setting on the load balancer if your deployment has multiple VMware Identity Manager machines. The load balancer binds a user’s session to a specific instance.
The load balancer must have WebSocket support to enable secure communication channels between connectors and the VMware Identity Manager nodes.
Ciphers with forward secrecy
Apple iOS App Transport Security requirements apply to the Workspace ONE app on iOS. To enable users to use the Workspace ONE app on iOS, the load balancer must have ciphers with forward secrecy. The following ciphers meet this requirement:
ECDHE_ECDSA_AES and ECDHE_RSA_AES in GCM or CBC mode
I can see that X-Forwarded-For Headers and Sticky Sessions are supported and I assume Load Balancer Timeout will be too; but does HAProxy support WebSockets? I am not planning on using any Apple iOS devices; so support for Forward Secrecy is moot.