Implementing Cloud-enabled Management (CEM) behind load balancers is a supported configuration with certain considerations:
For ITMS 8.x, please see Configure F5 BIG-IP Local Traffic Manager to work with the ITMS Cloud-enabled Management traffic as an example of what to configure. NOTE: It is up to the vendor and customer to correctly configure their load balancer.
NOTE: F5 is the only load balancer that has been tested. Symantec/Broadcome is aware of customers using x, y and z load balancers after they followed their vendor configuration documentation many of these were able to work properly.
ITMS 8.x
It is worth mentioning that some customers have reported that they were able to configure this functionality by trial and error. However, as this is not a supported configuration with the ITMS 8.x, Symantec/Broadcom Support is unable to assist with implementation. Some guidance has been provided under Configure F5 BIG-IP Local Traffic Manager to work with the ITMS Cloud-enabled Management traffic.
With regards to CEM, any load balancer would act as a certificate proxy, meaning that any traffic coming in via SSL to the CEM URL would have to first validate at the appliance using a signed machine certificate. The Internet Gateway strictly uses a self-signed certificate and all functionality is built between the agent at the endpoint and the Internet Gateway, and this should not work. Traffic needs to pass through and the handshake will need to be established at the Internet Gateway.
The Internet Gateway serves Symantec Management Agent (SMA) connections using the following process:
This method encrypts TCP traffic twice.
Currently, starting with ITMS 7.6 and later some guidance has been provided under Configure F5 BIG-IP Local Traffic Manager to work with the ITMS Cloud-enabled Management traffic.
With the ITMS 8.x versions, if CEM is not involved, a proxy should be fine between HTTP/HTTPS communication. However, make sure this proxy is not doing SSL Offloading. If CEM is involved and the client machine is external, an Internet Gateway should be used. A proxy shouldn't be involved between the CEM client and the Internet Gateway. For HTTPS requests it is either proxy or the CEM Internet Gateway, but not both.
If CEM agent is trying to connect to an Internet Gateway, it will not connect to proxy if the Internet Gateway is not visible directly, but it will try connecting to the Internet Gateway only. If the CEM agent is trying to connect directly to NS then it may try connecting to the proxy if the NS is not visible directly.
For persistent connections, you can set a proxy before the Internet Gateway, although it does not help much now as we still need HTTP/HTTPS requests to get the packages. The persistent connections should be able to handle a proxy in the middle even when there is an Internet Gateway handling the requests.