Unified Access Gateway uses different variables to differentiate between edge services, configured web proxies, and proxy destination URLs.
Proxy Pattern and Unsecure Pattern
Unified Access Gateway uses proxy pattern to forward incoming HTTP requests to the right edge service such as Horizon or to one of the configured web reverse proxy instances such as Workspace ONE Access. It is therefore used as a filter to decide if a reverse proxy is needed to process incoming traffic.
If a reverse proxy is selected, then the proxy uses a specified unsecure pattern to decide whether to allow the incoming traffic to go to the back end without being authenticated or not.
^/(?!admin(.*))(.*)
(/|/view-client(.*)|/portal(.*)|/appblast(.*))
and the pattern for
Workspace ONE Access can be configured as
(/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*))
.
Retaining the '/' proxy pattern in the web reverse proxy instance (Workspace ONE Access) ensures that when a user clicks the URL of Unified Access Gateway, the Workspace ONE Access page is displayed.
If only Horizon settings are configured, the above change is not required.
Proxy Host Pattern
If there are multiple web reverse proxy instances configured, and there is an overlap in Proxy Patterns, Unified Access Gateway uses the Proxy Host Pattern to differentiate between them. Configure Proxy Host Pattern as the FQDN of the reverse proxy.
For example, a host pattern for Sharepoint can be configured as sharepoint.myco.com and a pattern for JIRA can be configured as jira.myco.com.
Host Entries
Configure this text box only if Unified Access Gateway is not able to reach the back end server or application. When you add the IP address and hostname of the back end application to the Host Entries, that information is added to the /etc/hosts file of Unified Access Gateway. This field is common across all the edge service settings.
Proxy Destination URL
- For Horizon Connection Server, the connection server URL is the proxy destination URL.
- For web reverse proxy, the application URL of the configured web reverse proxy is the proxy destination URL.
Single Reverse Proxy Configuration
When Unified Access Gateway receives a single incoming request with a URI, the proxy pattern is used to decide whether to forward the request or drop it.
Multiple Reverse Proxy Configuration
- When Unified Access Gateway is configured as a reverse proxy, and an incoming request arrives with a URI path, Unified Access Gateway uses the proxy pattern to match the correct web reverse proxy instance. If there is a match, the matched pattern is used. If there are multiple matches, then the filtering and matching process is repeated in step 2. If there is no match, the request is dropped and an HTTP 404 is sent back to the client.
- The proxy host pattern is used to filter the list that was already filtered in step 1. The HOST header is used to filter the request and find the reverse proxy instance. If there is a match, the matched pattern is used. If there are multiple matches, then the filtering and matching process is repeated in step 3.
- Note the following:
- The first match from the filtered list in step 2 is used. This match might not always be the correct web reverse proxy instance. Therefore, ensure that the combination of proxy pattern and proxy host pattern for a web reverse proxy instance is unique if there are multiple reverse proxies setup in a Unified Access Gateway.
- The host name of all the configured reverse proxies should resolve to same IP address as the external address of the Unified Access Gateway instance.
See Configure Reverse Proxy With Workspace ONE Access for more information and instructions about configuring a reverse proxy.
Example: Two Reverse Proxies Configured With Clashing Proxy Patterns, Distinct Host Patterns
/(.*)
with the host pattern as
host1.domain.com
and the pattern for the second reverse proxy is
(/app2(.*)|/app3(.*)|/)
with the host pattern as
host2.domain.com
.
- If a request is made with the path set to
https://host1.domain.com/app1/index.html
, then the request is forwarded to the first reverse proxy. - If a request is made with the path set to
https://host2.domain.com/app2/index.html
, then the request is forwarded to the second reverse proxy.
Example: Two Reverse Proxies With Mutually Exclusive Proxy Patterns
/app1(.*)
and for the second reverse proxy is
(/app2(.*)|/app3(.*)|/)
.
- If a request is made with the path set to
https://<uag domain name>/app1/index.html
, then the request is forwarded to the first reverse proxy. - If a request is made with the path set to
https://<uag domain name>/app3/index.html
orhttps://<uag domain name>/
, then the request is forwarded to the second reverse proxy.