How to configure HAProxy as a load balancer for Agent Client CollectorSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The KB1122613 ITOM Agent Client Collector documentation material has a PDF attached:Recommendations on deploying and maintaining ServiceNow Agent Client Collector for Customers - 8.pdf This document recommends implementing a load balancer between ACC agents and MID Servers, as well as for applications utilising a MID Web Server, such as Event Management Push Connectors. Additionally, it includes guidance regarding AWS ELB configuration. The purpose of this Knowledge Base article is to provide detailed instructions on configuring an open-source load balancer (HAproxy) for customers who do not use AWS, prefer not to utilise ELB, or wish to balance ACC connections within their on-premises corporate network. This configuration also enforces the use of TLSv1.3 on both sides of the load balancer [ACC <-TLSv1.3-> HAProxy <-TLSv1.3-> MID Server], see KB2537912 for more information on TLS & ACC. Facts<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Three virtual machines (VMs) have been provisioned with the specified resources and are exclusively allocated for ACC. To ensure genuine high availability (HA), these VMs should be deployed across separate availability zones or on distinct hypervisor hosts, and they will not be utilized by other applications. 8 vCPU8 GiB of RAMLinuxMID Server Heap Memory: 6443 MB (6 GiB) This assumes Linux or Windows Server Core as the MID Server operating system. If Windows Server (Desktop Experience) is used, increasing the amount of RAM allocated to the virtual machine or reducing the MID Server's heap memory to 4GiB is recommended to reserve 4GiB of memory for the operating system. ACC Web Listener Port: 8080FQDNs: accmid1.lab.ugk.au, accmid2.lab.ugk.au, accmid3.lab.ugk.au These domain names are present in the HAProxy configuration, please ensure to replace them to suit your environment. Another VM has been configured as the load balancer: 8 vCPU8 GB of RAMOS: Debian 13FQDN: accadc.lab.ugk.au Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Tested with ACC-F 5.0.0 & HAProxy 3.2 Instructions<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The high-level instructions are: Create an empty file "hello.txt" in each MID Server’s ‘agent/static/’ directoryInstall HAProxy 3.2 on the Load Balancer VMDownload haproxy.conf from https://gist.githubusercontent.com/jbatesy/aaf96fa48e2ced42a0404b45526c9cf7/raw/Edit haproxy.conf, adjusting the configuration to suit your environment.Replace /etc/haproxy/haproxy.conf with your new configurationRestart the HAProxy serviceConfigure agents to use the load balancer’s FQDN as their endpoint Detailed instructions for Debian/Ubuntu: Create an empty file named 'hello.txt' in each MID Server’s ‘agent/static/’ directory root@accmid3:~# touch /opt/midserver/agent/static/hello.txt root@accmid3:~# ls -lah /opt/midserver/agent/static/ total 24K drwxr-xr-x 6 midserver midserver 4.0K Sep 24 01:44 . drwxrw---- 20 midserver midserver 4.0K Sep 30 03:23 .. drwxr-xr-x 2 midserver midserver 4.0K Sep 24 01:11 acc_config drwxr-xr-x 2 midserver midserver 4.0K Sep 24 01:13 acc_installers drwxr-xr-x 6 midserver midserver 4.0K Sep 24 01:11 acc_plugin drwxr-xr-x 3 midserver midserver 4.0K Sep 24 01:11 cert -rw-r--r-- 1 root root 0 Sep 30 03:48 hello.txt Create a self-signed TLS certificate for the Load Balancer’s endpoint. Note: ACC trusts self-signed certificates by default but a trusted certificate (PKI or a public CA) should be used in production deployments. Generate a private key root@accadc:~# openssl genrsa -out acc.key 2048 Create the certificate signing request (CSR) root@accadc:~# openssl req -new -key acc.key -out acc.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:Some-State Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACC Lab Environment Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:accadc.lab.ugk.au Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Sign the CSR using it's own private key to produce a self-signed certificate root@accadc:~# openssl x509 -req -days 3650 -in acc.csr -signkey acc.key -out acc.crt Certificate request self-signature ok subject=C=AU, ST=Some-State, O=ACC Lab Environment, CN=accadc.lab.ugk.au Install the certificate and private key as a .pem bundle into /etc/ssl/private/acc.pem root@accadc:~# cat acc.key acc.crt > /etc/ssl/private/acc.pem Install HAProxy 3.2-stable (LTS) on the Load Balancer VM using the instructions at https://haproxy.debian.net/ root@accadc:~# curl https://haproxy.debian.net/haproxy-archive-keyring.gpg \ --create-dirs --output /etc/apt/keyrings/haproxy-archive-keyring.gpg root@accadc:~# echo deb "[signed-by=/etc/apt/keyrings/haproxy-archive-keyring.gpg]" \ https://haproxy.debian.net trixie-backports-3.2 main \ > /etc/apt/sources.list.d/haproxy.list root@accadc:~# apt-get update root@accadc:~# apt-get install haproxy=3.2.\* Backup the default HAProxy configuration root@accadc:~# mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.default Download the config from Github Gist Note: This configuration is a validated example intended for use in your ACC deployment. It is recommended to thoroughly review both the configuration and the accompanying inline comments before applying it within your own infrastructure. root@accadc:~# wget -q https://gist.githubusercontent.com/jbatesy/aaf96fa48e2ced42a0404b45526c9cf7/raw/ -O - > /etc/haproxy/haproxy.cfg Edit the configuration to point to your own MID Servers' FQDN/IP root@accadc:~# vim /etc/haproxy/haproxy.cfg server mid_server_1 MID_SERVER_1_FQDN_OR_IP:MID_SERVER_1_PORT maxconn 4000 ssl verify none ws h1 check on-marked-down shutdown-sessions server mid_server_2 MID_SERVER_2_FQDN_OR_IP:MID_SERVER_2_PORT maxconn 4000 ssl verify none ws h1 check on-marked-down shutdown-sessions server mid_server_3 MID_SERVER_3_FQDN_OR_IP:MID_SERVER_3_PORT maxconn 4000 ssl verify none ws h1 check on-marked-down shutdown-sessions Restart the HAProxy service root@accadc:~# systemctl restart haproxy root@accadc:~# systemctl status haproxy ● haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: enabled) Active: active (running) since Tue 2025-09-30 04:54:23 UTC; 4s ago Invocation: f5df819a204c403e8ec1f3d45420287f Main PID: 5309 (haproxy) Status: "Ready." Tasks: 5 (limit: 2316) Memory: 70.8M (peak: 71.6M) CPU: 32ms CGroup: /system.slice/haproxy.service ├─5309 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock └─5311 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock Sep 30 04:54:23 accadc systemd[1]: Starting haproxy.service - HAProxy Load Balancer... Sep 30 04:54:23 accadc haproxy[5309]: [NOTICE] (5309) : Initializing new worker (5311) Sep 30 04:54:23 accadc haproxy[5309]: [NOTICE] (5309) : Loading success. Sep 30 04:54:23 accadc systemd[1]: Started haproxy.service - HAProxy Load Balancer. Use cURL to test HAProxy root@accadc:~# curl -k -i https://accadc.lab.ugk.au/static/hello.txt HTTP/2 200 date: Tue, 30 Sep 2025 04:59:02 GMT last-modified: Tue, 23 Sep 2025 06:02:38 GMT content-type: text/plain accept-ranges: bytes content-length: 0 x-backend-name: mid_server_2 Configure your ACC Agents' backend-url in acc.yml [root@oracle-8 ~]# grep -A1 "^backend-url:" /etc/servicenow/agent-client-collector/acc.yml backend-url: - wss://accadc.lab.ugk.au/ws/events Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Notes: Search the example config file for 'change this' noted on all places that need to be adjusted for your environmentServiceNow Support does not offer support for the HAProxy application, Enterprise HAProxy support & professional services is available through HAProxy Technologies, LLC. The configuration provided in this article is tested with the free & open-source HAProxy Community EditionA stats portal with basic administrative tasks will be available at http://LOAD_BALANCER_FQDN:8404/stats Default username/password: user / changemeCan't access this? Make sure you've updated the subnets defined in the ACL on the stats frontend.