When the Workspace ONE Access nodes are configured in the DMZ behind a load balancer, all nodes must be configured to communicate with each other. The firewall rules are configured to allow the nodes to talk to each other on port 5262.

For the cert proxy service to work to direct requests correctly, the load balancer should be configured as follows.

  • SSL re-encryption enabled.
  • Publicly trusted certificate installed on the load balancer.
  • X-Forwarded-For header enabled.
  • RemotePort header enabled.
  • Port 443 configured with a self-signed certificate on each node.
  • Port 5262 configured for the cert proxy service, with SSL pass-through configured for certificate authentication. The SSL handshake is between the device and the service.
  • Port 5263 configured as another instance of the cert proxy service to receive internal admin requests from the service.