Access Point can be used as a Web reverse proxy and can act as either a plain reverse proxy or an authenticating reverse proxy in the DMZ.

Deployment Scenario

Access Point provides secure remote access to an on-premises deployment of VMware Identity Manager. Access Point appliances are typically deployed in a network demilitarized zone (DMZ). With VMware Identity Manager, the Access Point appliance operates as a Web reverse proxy between a user's browser and the VMware Identity Manager service in the data center. Access Point also enables remote access to the VMware Identity Manager catalog to launch Horizon applications.

Requirements for Access Point deployment with VMware Identity Manager

  • Split DNS

  • VMware Identity Manager appliance must have a fully qualified domain name (FQDN) as hostname.

  • Access Point must use internal DNS. This means that the proxyDestinationURL must use FQDN.

Figure 1. Access Point Appliance Pointing the Connector

Understanding Reverse Proxy

Access Point as a solution provides access to the app portal for remote users to single-sign-on and access their resources. You enable Authn reverse proxy on an edge service Manager. Currently, RSA SecurID and RADIUS authentication methods are supported.

Note:

You must generate the identity provider metadata before enabling authentication on Web reverse proxy.

Access Point provides remote access to VMware Identity Manager and Web applications with or without authentication from browser-based client and then launch Horizon desktop.

  • Browers-based clients are supported using RADIUS and RSA SecurID as the authentication methods.

Reverse proxy support is limited with Access Point 2.8 release to VMware Identity Manager and internal Web resources such as confluence and WIKI. In future, the list of resources will be extended.

Note:

The authCookie and unSecurePattern properties are not valid for Authn reverse proxy. You must use authMethods property to define the authentication method.