Advanced Edge Service Settings

Unified Access Gateway uses different variables to differentiate between edge services, configured web proxies, and proxy destination URLs.

Proxy Pattern and Unsecure Pattern

Unified Access Gateway uses proxy pattern to forward incoming HTTP requests to the right edge service such as Horizon or to one of the configured web reverse proxy instances such as Workspace ONE Access. It is therefore used as a filter to decide if a reverse proxy is needed to process incoming traffic.

If a reverse proxy is selected, then the proxy uses a specified unsecure pattern to decide whether to allow the incoming traffic to go to the back end without being authenticated or not.

The user must specify a proxy pattern, specifying an unsecure pattern is optional. The unsecure pattern is used by web reverse proxies such as Workspace ONE Access which have their own login mechanism and want certain URLs such as log in page paths, javascripts, or image resources, to be passed to the back end without being authenticated.

Note: An unsecure pattern is a subset of the proxy pattern and therefore some paths might be repeated between both of them for a reverse proxy.

Note: The pattern can also be used to exclude certain URLs. For example, to allow all URLs through but block /admin you can use the following expression. ^/(?!admin(.*))(.*)

Note: Horizon Connection Server does not work with an enabled web reverse proxy when there is an overlap in the proxy pattern. Therefore, if both Horizon and a web reverse proxy instance such as Workspace ONE Access are configured and enabled with proxy patterns on the same Unified Access Gateway instance, remove the proxy pattern '/' from Horizon settings and retain the pattern in Workspace ONE Access to prevent the overlap.

Retaining the '/' proxy pattern in the web reverse proxy instance (Workspace ONE Access) ensures that when a user clicks the URL of Unified Access Gateway, the Workspace ONE Access page is displayed.

If only Horizon settings are configured, the above change is not required.

Proxy Host Pattern

If there are multiple web reverse proxy instances configured, and there is an overlap in Proxy Patterns, Unified Access Gateway uses the Proxy Host Pattern to differentiate between them. Configure Proxy Host Pattern as the FQDN of the reverse proxy.

For example, a host pattern for Sharepoint can be configured as sharepoint.myco.com and a pattern for JIRA can be configured as jira.myco.com.

Host Entries

Configure this text box only if Unified Access Gateway is not able to reach the back end server or application. When you add the IP address and hostname of the back end application to the Host Entries, that information is added to the /etc/hosts file of Unified Access Gateway. This field is common across all the edge service settings.

Proxy Destination URL

This is the back end server application URL of the edge service settings for which Unified Access Gateway is the proxy. For example:

For Horizon Connection Server, the connection server URL is the proxy destination URL.
For web reverse proxy, the application URL of the configured web reverse proxy is the proxy destination URL.

Single Reverse Proxy Configuration

When Unified Access Gateway receives a single incoming request with a URI, the proxy pattern is used to decide whether to forward the request or drop it.

Multiple Reverse Proxy Configuration

When Unified Access Gateway is configured as a reverse proxy, and an incoming request arrives with a URI path, Unified Access Gateway uses the proxy pattern to match the correct web reverse proxy instance. If there is a match, the matched pattern is used. If there are multiple matches, then the filtering and matching process is repeated in step 2. If there is no match, the request is dropped and an HTTP 404 is sent back to the client.
The proxy host pattern is used to filter the list that was already filtered in step 1. The HOST header is used to filter the request and find the reverse proxy instance. If there is a match, the matched pattern is used. If there are multiple matches, then the filtering and matching process is repeated in step 3.
Note the following:
- The first match from the filtered list in step 2 is used. This match might not always be the correct web reverse proxy instance. Therefore, ensure that the combination of proxy pattern and proxy host pattern for a web reverse proxy instance is unique if there are multiple reverse proxies setup in a Unified Access Gateway.
- The host name of all the configured reverse proxies should resolve to same IP address as the external address of the Unified Access Gateway instance.

See Configure Reverse Proxy With Workspace ONE Access for more information and instructions about configuring a reverse proxy.

Example: Two Reverse Proxies Configured With Clashing Proxy Patterns, Distinct Host Patterns

Suppose the proxy pattern for the first reverse proxy is /(.*) with the host pattern as host1.domain.com and the pattern for the second reverse proxy is (/app2(.*)|/app3(.*)|/) with the host pattern as host2.domain.com.

If a request is made with the path set to https://host1.domain.com/app1/index.html, then the request is forwarded to the first reverse proxy.
If a request is made with the path set to https://host2.domain.com/app2/index.html, then the request is forwarded to the second reverse proxy.

Example: Two Reverse Proxies With Mutually Exclusive Proxy Patterns

Suppose the proxy pattern for the first reverse proxy is /app1(.*) and for the second reverse proxy is (/app2(.*)|/app3(.*)|/).

If a request is made with the path set to https://<uag domain name>/app1/index.html, then the request is forwarded to the first reverse proxy.
If a request is made with the path set to https://<uag domain name>/app3/index.html or https://<uag domain name>/ , then the request is forwarded to the second reverse proxy.