Unified Access Gateway can be used as a Web reverse proxy and can act as either a plain reverse proxy or an authenticating reverse proxy in the DMZ.

Deployment Scenario

Unified Access Gateway provides secure remote access to an on-premises deployment of VMware Identity Manager. Unified Access Gateway appliances are typically deployed in a network demilitarized zone (DMZ). With VMware Identity Manager, the Unified Access Gateway appliance operates as a Web reverse proxy between a user's browser and the VMware Identity Manager service in the data center. Unified Access Gateway also enables remote access to the Workspace ONE catalog to launch Horizon applications.

Requirements for Unified Access Gateway deployment with VMware Identity Manager.

  • Split DNS

  • VMware Identity Manager appliance must have a fully qualified domain name (FQDN) as hostname.

  • Unified Access Gateway must use internal DNS. This means that the proxyDestinationURL must use FQDN.

Figure 1. Unified Access Gateway Appliance Pointing VMware Identity Manager

Understanding Reverse Proxy

Unified Access Gateway, as a solution, provides access to the app portal for remote users to single-sign-on and access their resources. You enable authn reverse proxy on an edge service manager. Currently, RSA SecurID and RADIUS authentication methods are supported.

Note:

You must generate the identity provider metadata before enabling authentication on Web reverse proxy.

Unified Access Gateway provides remote access to VMware Identity Manager and Web applications with or without authentication from browser-based client and then launch Horizon desktop.

  • Browser-based clients are supported using RADIUS and RSA SecurID as the authentication methods.

You can configure multiple instances of the reverse proxy.

Figure 2. Multiple Reverse Proxies Configured
Note:

The authCookie and unSecurePattern properties are not valid for authn reverse proxy. You must use authMethods property to define the authentication method.