You can configure the Web reverse proxy service to use Unified Access Gateway with VMware Identity Manager.

Prerequisites

Requirements for deployment with VMware Identity Manager.

  • Split DNS. The split DNS can be used to resolve the name to different IP addresses depending on whether the IP is internal or external.

  • VMware Identity Manager service must have fully qualified domain name (FQDN) as hostname.

  • Unified Access Gateway must use internal DNS. This means that the proxy Destination URL must use FQDN.

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. In the General Settings > Edge Service Settings line, click Show.
  3. Click the Reverse Proxy Settings gearbox icon.
  4. In the Reverse Proxy Setting page, click Add.
  5. In the Enable Reverse Proxy Settings section, change NO to YES to enable reverse proxy.
  6. Configure the following edge service settings.

    Option

    Description

    Identifier

    The edge service identifier is set to Web reverse proxy.

    Instance Id

    The unique name to identify and differentiate a Web reverse proxy instance from all other Web reverse proxy instances.

    Proxy Destination URL

    Enter the address of the Web application.

    Proxy Destination URL Thumbprints

    Enter a list of acceptable SSL server certificate thumbprints for the proxyDestination URL. If you include the wildcard *, any certificate is allowed. A thumbprint is in the format [alg=]xx:xx, where alg can be sha1, the default, or md5. The 'xx' are hexadecimal digits. The ':' separator can also be a space or missing. The case in a thumbprint is ignored. For example:

    sha1=B6 77 DC 9C 19 94 2E F1 78 F0 AD 4B EC 85 D1 7A F8 8B DC 34,

    sha256=ad:5c:f1:48:47:94:7e:80:82:73:13:6c:83:52:be:78:ed:ff:50:23:56:a8:42:8a:d9:30:fc:3a:33:d6:c6:db

    If you do not configure the thumbprints, the server certificates must be issued by a trusted CA.

    Proxy Pattern

    Enter the matching URI paths that forward to the destination URL. For example, enter as (/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)).

    Note:

    When you are configuring multiple reverse proxies, provide the hostname in the proxy host pattern.

  7. To configure other advanced settings, click More.

    Option

    Description

    Auth Methods

    The default is to use pass-through authentication of the user name and password. The authentication methods you configured in Unified Access Gateway are listed in the drop-down menus.

    Health Check URI Path

    Unified Access Gateway connects to this URI path to check the health of your web application.

    SAML SP

    This field is required when configuring UAG as authenticated reverse proxy for VMware Identity Manager. Enter the name of the SAML service provider for the View XML API broker. This name must either match the name of a service provider you configured with Unified Access Gateway or be the special value DEMO. If there are multiple service providers configured withUnified Access Gateway, their names must be unique.

    Activation Code

    Enter the code generated by VMware Identity Manager service and imported into Unified Access Gateway to set up trust between VMware Identity Manager and Unified Access Gateway. Note that the Activation Code is not required for on-premise deployments. See VMware Identity Manager Cloud Deployment for details on how to generate an Activation Code.

    External URL

    The default value is the Unified Access Gateway host URL, port 443. You can enter another external URL. Enter as https://<host:port>.

    UnSecure Pattern

    Enter the known VMware Identity Manager redirection pattern. For example: (/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*))

    Auth Cookie

    Enter the authentication cookie name. For example: HZN

    Login Redirect URL

    If the user logs out of the portal, enter the redirect URL to log back in. For example: /SAAS/auth/login?dest=%s

    Proxy Host Pattern

    External hostname used to check the incoming host to see whether it matches the pattern for that particular instance. Host pattern is optional, when configuring Web reverse proxy instances. .

    Host Entries

    Enter a comma separated list of host entries to be added in /etc/hosts file. Each entry includes an IP, a hostname, and an optional hostname alias in that order, separated by a space. For example, 10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias.

    Note:

    UnSecure Pattern, Auth Cookie, and Login Redirect URL options are applicable only with VMware Identity Manager. The values provided here are also applicable to Access Point 2.8 and Unified Access Gateway 2.9.

    Note:

    The Auth Cookie and UnSecure Pattern properties are not valid for authn reverse proxy. You must use the Auth Methods property to define the authentication method.

  8. Click Save.

What to do next

To enable identity bridging, see Configuring Identity Bridging Settings.