Desktop Central EC2 Server in a AWS - Private AZ and public Network Load Balancer question
Hi everyone,
I currently have a ticket open but would like to see if anyone has found a solution.
Placed my DC Server in a private subnet with a route to my NAT Gateway. I have created the proper security group with all necessary ports (per ME's docs for DC) and attached it to the EC2 instance. The connectivity tests all pass.
Placed a network load balancer in a public subnet (same AZ and using an elastic IP passing all the TCP port requests) and registered the private EC2 as a target (configured with all the corresponding listeners). Health checks all pass.
Installed a third-party SSL cert on the DC Server. Route53 A record for that FQDN pointing to the elastic IP with a 60 TTL. All DNS checks pass.
Split DNS direct connection (from prem) to server admin page loads fine. Connection from external client to server admin page will sometimes load fine, load slowly, will produce SSL errors: (ERR_SSL_VERSION_INTERFERENCE (Chrome), ERR_SSL_PROTOCOL_ERROR (Chrome), ssl_error_rx_record_too_long (Firefox). SSL handshake is fine from local client. Port 443 is open for the EC2 instance and the NLB and target group are listening.
Also, can't connect from iOS devices. With Safari, Chrome, Firefox (sometimes), and the DC App
To troubleshoot, I placed the EC2 instance on the public subnet with a public IP and updated the DNS record. Zero issues connecting from anywhere.
The NLB is a layer 4 device that should just be passing TCP. The SSL termination is occurring on the server. I have narrowed this down to a possible issue with Apache/Tomcat timing out sessions or issues with TTL between the server and the NLB.
We would like to keep this design for security reasons. Any help/suggestions would be greatly appreciated.
Best,
Dennis
I currently have a ticket open but would like to see if anyone has found a solution.
Placed my DC Server in a private subnet with a route to my NAT Gateway. I have created the proper security group with all necessary ports (per ME's docs for DC) and attached it to the EC2 instance. The connectivity tests all pass.
Placed a network load balancer in a public subnet (same AZ and using an elastic IP passing all the TCP port requests) and registered the private EC2 as a target (configured with all the corresponding listeners). Health checks all pass.
Installed a third-party SSL cert on the DC Server. Route53 A record for that FQDN pointing to the elastic IP with a 60 TTL. All DNS checks pass.
Split DNS direct connection (from prem) to server admin page loads fine. Connection from external client to server admin page will sometimes load fine, load slowly, will produce SSL errors: (ERR_SSL_VERSION_INTERFERENCE (Chrome), ERR_SSL_PROTOCOL_ERROR (Chrome), ssl_error_rx_record_too_long (Firefox). SSL handshake is fine from local client. Port 443 is open for the EC2 instance and the NLB and target group are listening.
Also, can't connect from iOS devices. With Safari, Chrome, Firefox (sometimes), and the DC App
To troubleshoot, I placed the EC2 instance on the public subnet with a public IP and updated the DNS record. Zero issues connecting from anywhere.
The NLB is a layer 4 device that should just be passing TCP. The SSL termination is occurring on the server. I have narrowed this down to a possible issue with Apache/Tomcat timing out sessions or issues with TTL between the server and the NLB.
We would like to keep this design for security reasons. Any help/suggestions would be greatly appreciated.
Best,
Dennis