I am wondering if the load balancer would need additional certificates? I was thinking that the certificates in the agent would be sufficient as it was agent-to-agent communication.
Has anyone had experience where additional security certificates were needed for agent communication?
And the answer is, no special configuration is needed for the IFR's behind a load balancer.
I worked with a client to successfully implement 2 IFR's behind an F5 load balancer with an Internet URL on the load balancer. Connections to the load balancer on ports 1610 and 1611 were forwarded to the IFR's. The IFR's relayed the communication to the Master with no issues.
As for certificates, no additional certificates were necessary. Agent to agent communications worked perfectly.
The attached BMC \ Numara document were extremely helpful.
Unfortunately, placing the Internet Facing Relays (IFR’s) behind a load balancer causes communication problems as I found out. The hard way. BMC Support explained it this way.
“A dynamic load balancer between the public internet and multiple DMZ relays is not recommended.
Essentially, this will cause child devices to have a parent that will be effectively dynamic and can change on each new network session. This will cause the parent recorded in the database to either change frequently, and worse, the change may not be detected. Either way this will lead to a loss of reliable communication with any device that is a direct or indirect child of the load balanced DMZ relays.
This is discussed indirectly in our High Availability Document here with regards to ensuring that only one service in an HA system is running at any time:
From my experience I strongly recommend that you do not implement IFR’s behind a load balancer. Unfortunately, I do not have an alternative approach to create a high availability IFR configuration.