Use the HA Proxy SNI redirection feature to facilitate sharing of port 443 with various components of Unified Access Gateway.

Unified Access Gateway currently runs VMware Tunnel, Content Gateway, Blast and Web reverse proxy services on TCP. Many users prefer to use port 443 for any incoming connections for their appliances, but this will not work as TCP traffic is routed from 443 to the Edge Service manager of Unified Access Gateway (port 6443), and VMware Tunnel and Content Gateway run on separate ports which must be opened externally.

Unified Access Gateway now uses the HA proxy SNI redirection feature to allow port 443 sharing between components. You enable TLS port sharing during deployment. For example, you can have an authenticated Web Reverse proxy instance and Content Gateway on the same appliance, with traffic for both services incoming on TCP 443, as long as the incoming hostname for Content Gateway matches the hostname configured in the TLS SNI rules for it.

If you deploy using the OVF template in the vSphere web client, check "Enable TLS port 443 sharing with HA proxy" from the Properties page. Alternatively, you can set the tlsPortSharingEnabled property to true when deploying with Powershell.

Note:

If TLS port sharing is enabled:

  • You cannot later modify this setting from the Admin UI.

  • You will get an error message if you attempt to import UAG settings from the Admin UI with a different value for this field. In this case, the port sharing property is ignored, but the rest of the UAG settings import successfully.

  • You have the option to specify TLS SNI Rules along with the rest of the Edge service settings. This property is only available for VMware Tunnel and Content Gateway settings.