Understand the architecture design and security features of VMware Content Gateway deployed as a service on the Unified Access Gateway appliance.

Deploying the Content Gateway as a service on the Unified Access Gateway eliminates manual configuration and maintenance of Content Gateway using security updates. The Unified Access Gateway appliance platform goes through multiple security audits and patches are provided for security vulnerabilities. For information about deploying Content Gateway as a service on Unified Access Gateway, see Unified Access Gateway System and Network Requirements section in the Deploying and Configuring VMware Unified Access Gateway guide available at docs.vmware.com.

VMware Content Gateway offers basic and relay-endpoint architecture models for deployment. Both configurations support load-balancing for high-availability and SSL offloading. Configure your VMware Content Gateway deployment in a way that best addresses your security needs and existing setup.

Consider using a load balancer in the DMZ to forward traffic on the configured ports to a Workspace ONE UEM component. Also, consider using dedicated servers to eliminate the risk of other web applications or services causing performance issues.

Content Gateway with Load Balancing

Workspace ONE UEM supports integration with a load balancer for improved performance and faster availability.

Successful integration requires some additional client-side configurations.

  • Configure the proper network changes for the Content Gateway to access various internal resources over the necessary ports.
  • Configure load balancers to persist a connection from a client to the same load balanced node with an algorithm of your selecting. Workspace ONE UEM supports simple algorithms such as Round Robin and more sophisticated ones such as Least Connections.
  • Configure load balancers to Send Original HTTP Headers to avoid device connectivity problems. Content Gateway uses information in the request's HTTP header to authenticate devices.

Content Gateway Deployment Models

The VMware Content Gateway can be deployed using the basic endpoint model and the relay-endpoint model. Use the deployment model that best fits your needs.

Both SaaS and on-premises Workspace ONE UEM environments support the basic and relay-endpoint deployment models. The VMware Content Gateway must have a publicly accessible endpoint for devices to connect to when making a request. Basic deployment models have a single instance of VMware Content Gateway configured with a public DNS. Alternatively, for the relay-endpoint deployment model, the public DNS is mapped to the relay server in the DMZ. This server communicates with the Device Services server. For SaaS deployments, Workspace ONE UEM hosts the API components in the cloud. For an on-premises environment, the API component is typically installed in the DMZ.

Basic Endpoint Deployment Model

The basic endpoint model has a single instance of the Content Gateway installed on the Unified Access Gateway appliance with a publicly available DNS. The Content Gateway is placed either in the internal network or DMZ. In the internal network, Content Gateway is placed behind a load balancer which is in the DMZ. The load balancer forwards traffic on the configured ports to the VMware Content Gateway. VMware Content Gateway then connects directly to your internal content repositories. All deployment configurations support load balancing and reverse proxy.

The basic endpoint Content Gateway server communicates with API and Devices Services. Device Services connects the end-user device to the correct Content Gateway.

If the basic endpoint is installed in the DMZ, then proper network changes must be made for the VMware Content Gateway to access various internal resources over the necessary ports.

Basic endpoint deployment model

Relay-Endpoint Deployment Model

The relay-endpoint deployment model has two instances of the VMware Content Gateway with separate roles. The VMware Content Gateway relay server resides in the DMZ and can be accessed from public DNS over the configured ports. The VMware Content Gateway endpoint server is installed in the internal network hosting internal resources. This server must have an internal DNS record that the relay server can resolve.

The role of the endpoint server is to connect to the internal repository or content requested by the device. The relay server performs health checks at a regular interval to ensure that the endpoint is active and available.

Relay endpoint deployment model