When using On-Premise installations of Workspace ONE UEM, the API server is typically installed behind a firewall without incoming internet access. To securely use Workspace ONE Intelligence automation capabilities, you can configure a web reverse proxy edge service within the Unified Access Gateway to allow access only to the API service so actions can be taken on devices, users, and other resources.

Prerequisites

  • The UEM API service must have a fully qualified domain name (FQDN) as hostname.
  • Unified Access Gateway must use internal DNS. This means that the proxy Destination URL must use FQDN.
  • The combination of proxy pattern and proxy host pattern for a web reverse proxy instance must be unique if there are multiple reverse proxies setup in a Unified Access Gateway instance.
  • The host names of all configured reverse proxies should resolve to the same IP address which is the IP address of the Unified Access Gateway instance.
  • For more information on Advanced Edge Service Settings, see Advanced Edge Service Settings.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings > Edge Service Settings, click Show.
  3. Click the Reverse Proxy Settings gearbox icon.
  4. In the Reverse Proxy Setting page, click Add.
  5. In the Enable Reverse Proxy Settings section, change NO to YES to enable reverse proxy.
  6. Configure the following edge service settings.
    Option Description
    Identifier The edge service identifier is set to Web reverse proxy.
    Instance Id The unique name to identify and differentiate a Web reverse proxy instance from all other Web reverse proxy instances.
    Proxy Destination URL Enter the address of the Web application, which is usually the back end URL. For example, for the Workspace ONE UEM API server, it may be a different URL/IP Address than your console login. You can verify this by checking in the UEM settings pages under Settings > System > Advanced > API > REST API > REST API URL.
    Proxy Destination URL Thumbprints Enter a list of acceptable SSL server certificate thumbprints for the proxyDestination URL. If you specify *, any certificate is accepted. A thumbprint is in the format [alg=]xx:xx, where alg can either be the default, sha1, or md5. The xx are hexadecimal digits. The ':' separator can also be a space or missing. The case in a thumbprint is ignored. For example:

    sha1=B6 77 DC 9C 19 94 2E F1 78 F0 AD 4B EC 85 D1 7A F8 8B DC 34

    sha256=ad:5c:f1:48:47:94:7e:80:82:73:13:6c:83:52:be:78:ed:ff:50:23:56:a8:42:8a:d9:30:fc:3a:33:d6:c6:db

    If you do not configure the thumbprints, the server certificates must be issued by a trusted CA.

    Proxy Pattern Enter the matching URI paths that forward to the destination URL. For Workspace ONE UEM API, use: (/API(.*)|/api(.*)|/Api(.*)|).
    Note: When you configure multiple reverse proxies, provide the hostname in the proxy host pattern.
  7. To configure other advanced settings, click More.
    Option Description
    Auth Methods

    The default is to use pass-through authentication of the user name and password. The authentication methods you configured in Unified Access Gateway are listed in the drop-down menus. SecurID, RADIUS, Passthrough, and X.509 Certificate Auth Methods are supported.

    External URL The default value is the Unified Access Gateway host URL, port 443. You can enter another external URL. Enter as https://<host:port>.
    Note:

    While using the Unified Access Gateway behind a load balancer, enter the Load Balancer URL in this field.

    Proxy Host Pattern External hostname used to check the incoming host to see whether it matches the pattern for that particular instance. Host pattern is optional, when configuring Web reverse proxy instances.
    Trusted Certificates
    • To select a certificate in PEM format and add to the trust store, click + .
    • To provide a different name, edit the alias text box.

      By default, the alias name is the filename of the PEM certificate.

    • To remove a certificate from the trust store, click -.
    Host Entries Enter the details to be added in /etc/hosts file. Each entry should include an IP, a hostname, and an optional hostname alias in that order, separated by a space. For example, 10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias. Click the '+" sign to add multiple host entries.
    Important: The host entries are saved only after you click Save.
  8. Click Save.

What to do next

To configure the Workspace UEM API Connector for use with Workspace ONE Intelligence, see the Getting Started with Automations topic of the Workspace ONE Intelligence documentation. Use the external URL configured for your Unified Access Gateway instead of the UEM REST API internal server URL.