Unified Access Gateway uses different variables to differentiate between edge services, configured web proxies, and proxy destination URLs.

Proxy Pattern and Unsecure Pattern

Unified Access Gateway uses proxy pattern to forward incoming HTTP requests to the right edge service such as Horizon or to one of the configured web reverse proxy instances such as VMware Identity Manager. It is therefore used as a filter to decide if a reverse proxy is needed to process incoming traffic.

If a reverse proxy is chosen, then the proxy uses a specified unsecure pattern to decide whether to allow the incoming traffic to go to the back end without being authenticated or not.

The user must specify a proxy pattern, specifying an unsecure pattern is optional. The unsecure pattern is used by web reverse proxies such as VMware Identity Manager which have their own login mechanism and want certain URLs such as log in page paths, javascripts, or image resources, to be passed to the back end without being authenticated.
Note: An unsecure pattern is a subset of the proxy pattern and therefore some paths may be repeated between both of them for a reverse proxy.
Each edge service can have a different pattern. For example, the Proxy Pattern for Horizon could be configured as (/|/view-client(.*)|/portal(.*)|/appblast(.*)) and the pattern for VMware Identity Manager could be configured as (/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)).
Note: View, a component of Horizon 7, does not work with an enabled web reverse proxy when there is an overlap in the proxy pattern. Therefore, if both Horizon and a web reverse proxy instance such as VMware Identity Manager are configured and enabled with proxy patterns on the same Unified Access Gateway instance, remove the proxy pattern '/' from Horizon settings and retain the pattern in VMware Identity Manager to prevent the overlap.

Retaining the '/' proxy pattern in the web reverse proxy instance (VMware Identity Manager) ensures that when a user clicks the URL of Unified Access Gateway, the VMware Identity Manager page is displayed.

If only Horizon settings are configured, the above change is not required.

Proxy Host Pattern

If there are multiple web reverse proxy instances configured, and there is an overlap in Proxy Patterns, Unified Access Gateway uses the Proxy Host Pattern to differentiate between them. Configure Proxy Host Pattern as the FQDN of the reverse proxy.

For example, a host pattern for Sharepoint could be configured as sharepoint.myco.com and a pattern for JIRA could be configured as jira.myco.com.

Host Entries

Configure this field only if Unified Access Gateway is not able to reach the back end server or application. When you add the IP address and hostname of the back end application to the Host Entries, that information is added to the /etc/hosts file of Unified Access Gateway. This field is common across all the edge service settings.

Proxy Destination URL

This is the back end server application URL of the edge service settings for which Unified Access Gateway is the proxy. For example:
  • For View, a component of Horizon 7, the connection server URL is the proxy destination URL.
  • For web reverse proxy, the application URL of the configured web reverse proxy is the proxy destination URL.

Single Reverse Proxy Configuration

When Unified Access Gateway receives a single incoming request with a URI, the proxy pattern is used to decide whether to forward the request or drop it.

Multiple Reverse Proxy Configuration

  1. When Unified Access Gateway is configured as a reverse proxy, and an incoming request arrives with a URI path, Unified Access Gateway uses the proxy pattern to match the correct web reverse proxy instance. If there is a match, the matched pattern is used. If there are multiple matches, then the filtering and matching process is repeated in step 2. If there is no match, the request is dropped and a HTTP 404 is sent back to the client.
  2. The proxy host pattern is used to filter the list that was already filtered in step 1. The HOST header is used to filter the request and find the reverse proxy instance. If there is a match, the matched pattern is used. If there are multiple matches, then the filtering and matching process is repeated in step 3.
  3. The first match from the filtered list in step 2 is used. Note that this may not always be the correct web reverse proxy instance. Therefore, ensure that the combination of proxy pattern and proxy host pattern for a web reverse proxy instance is unique if there are multiple reverse proxies setup in a Unified Access Gateway. Also note that the host name of all the configured reverse proxies should resolve to same IP address as the external address of the Unified Access Gateway instance.

See Configure Reverse Proxy With VMware Identity Manager for more information and instructions about configuring a reverse proxy.