Unified Access Gateway can be used as a web reverse proxy and can act as either a plain reverse proxy or an authenticating reverse proxy in the DMZ.

Deployment Scenario

Unified Access Gateway provides secure remote access to an On-Premises deployment of VMware Identity Manager. Unified Access Gateway appliances are typically deployed in a network demilitarized zone (DMZ). With VMware Identity Manager, the Unified Access Gateway appliance operates as a web reverse proxy between a user's browser and the VMware Identity Manager service in the data center. Unified Access Gateway also enables remote access to the Workspace ONE catalog to start Horizon applications.

Note:

A single instance of Unified Access Gateway can handle up to 15000 simultaneous TCP connections. If the expected load is more than 15000, multiple instances of Unified Access Gateway must be configured behind the load balancer.

See Advanced Edge Service Settings for information about the settings used when configuring reverse proxy.

Figure 1. Unified Access Gateway Appliance Pointing to VMware Identity Manager

Understanding Reverse Proxy

Unified Access Gateway provides access to the app portal for remote users to single-sign-on and access their resources. The app portal is a back-end application such as Sharepoint, JIRA, or VIDM, for which Unified Access Gateway is acting as the reverse proxy.

Note:

View, a component of Horizon 7, does not work with an enabled web reverse proxy when there is an overlap in the proxy pattern. Therefore, if both Horizon and a web reverse proxy instance are configured and enabled with proxy patterns on the same Unified Access Gateway instance, remove the proxy pattern '/' from Horizon settings and retain the pattern in the web reverse proxy to prevent the overlap. Retaining the '/' proxy pattern in the web reverse proxy instance ensures that when a user clicks the URL of Unified Access Gateway, the correct web reverse proxy page is displayed. If only Horizon settings are configured, the above change is not required.

Note the following points when enabling and configuring reverse proxy:

  • You must enable the authentication of the reverse proxy on an Edge Service manager. Currently, RSA SecurID and RADIUS authentication methods are supported.

  • You must generate the identity provider metadata (IDP metadata) before enabling authentication on web reverse proxy.

  • Unified Access Gateway provides remote access to VMware Identity Manager and web applications with or without authentication from browser-based client and then launch Horizon desktop.

  • You can configure multiple instances of the reverse proxy and each configured instance can be deleted.

Figure 2. Multiple Reverse Proxies Configured


Reverse Proxy Settings with Delete option