Configure Reverse Proxy With VMware Identity Manager

You can configure the Web reverse proxy service to use Unified Access Gateway with VMware Identity Manager.

Requisitos previos

Note the following requirements for deployment with VMware Identity Manager:

Split DNS. Externally, the host name should get resolved to the IP address of Unified Access Gateway. Internally, on Unified Access Gateway, the same host name should get resolved to the actual web server either through internal DNS mapping or through a host name entry on Unified Access Gateway.

Nota:
If you are deploying only with Web Reverse proxy, there is no need to configure identity bridging.
VMware Identity Manager service must have fully qualified domain name (FQDN) as hostname.
Unified Access Gateway must use internal DNS. This means that the proxy Destination URL must use FQDN.
The combination of proxy pattern and proxy host pattern for a web reverse proxy instance must be unique if there are multiple reverse proxies setup in a Unified Access Gateway instance.
The host names of all configured reverse proxies should resolve to the same IP address which is the IP address of the Unified Access Gateway instance.
See Configuración avanzada del servicio perimetral for information about the advanced edge service settings.

Procedimiento

In the admin UI Configure Manually section, click Select.
In the General Settings > Edge Service Settings, click Show.
Click the Reverse Proxy Settings gearbox icon.
In the Reverse Proxy Setting page, click Add.
In the Enable Reverse Proxy Settings section, change NO to YES to enable reverse proxy.

Configure the following edge service settings.

Option	Description
Identifier	The edge service identifier is set to Web reverse proxy.
Instance Id	The unique name to identify and differentiate a Web reverse proxy instance from all other Web reverse proxy instances.
Proxy Destination URL	Enter the address of the Web application, which is usually the back end URL. For example, for VMware Identity Manager, add the IP address, the VMware Identity Manager host name and the external DNS on the client machine. On the Admin UI, add the IP address, the VMware Identity Manager host name and the internal DNS.
Proxy Destination URL Thumbprints	Enter a list of acceptable SSL server certificate thumbprints for the proxyDestination URL. If you specify `*`, any certificate is accepted. A thumbprint is in the format `[alg=]xx:xx`, where `alg` can either be the default, sha1, or md5. The `xx` are hexadecimal digits. The ':' separator can also be a space or missing. The case in a thumbprint is ignored. For example: `sha1=B6 77 DC 9C 19 94 2E F1 78 F0 AD 4B EC 85 D1 7A F8 8B DC 34` `sha256=ad:5c:f1:48:47:94:7e:80:82:73:13:6c:83:52:be:78:ed:ff:50:23:56:a8:42:8a:d9:30:fc:3a:33:d6:c6:db` If you do not configure the thumbprints, the server certificates must be issued by a trusted CA.
Proxy Pattern	Enter the matching URI paths that forward to the destination URL. For example, enter as `(/\|/SAAS(.)\|/hc(.)\|/web(.)\|/catalog-portal(.))`. Nota: When you configure multiple reverse proxies, provide the hostname in the proxy host pattern.

To configure other advanced settings, click More.

Option	Description
Auth Methods	The default is to use pass-through authentication of the user name and password. The authentication methods you configured in Unified Access Gateway are listed in the drop-down menus. RSA SecurID, RADIUS, and Device Certificate Auth methods are supported.
Health Check URI Path	Unified Access Gateway connects to this URI path to check the health of your web application.
SAML SP	Required when you configure Unified Access Gateway as an authenticated reverse proxy for VMware Identity Manager. Enter the name of the SAML service provider for the View XML API broker. This name must either match the name of a service provider you configured with Unified Access Gateway or be the special value `DEMO`. If there are multiple service providers configured with Unified Access Gateway, their names must be unique.
External URL	The default value is the Unified Access Gateway host URL, port 443. You can enter another external URL. Enter as `https://<host:port>.`
UnSecure Pattern	Enter the known VMware Identity Manager redirection pattern. For example: (/\|/catalog-portal(.)\|/\|/SAAS/\|/SAAS\|/SAAS/API/1.0/GET/image(.)\|/SAAS/horizon/css(.)\|/SAAS/horizon/angular(.)\|/SAAS/horizon/js(.)\|/SAAS/horizon/js-lib(.)\|/SAAS/auth/login(.)\|/SAAS/jersey/manager/api/branding\|/SAAS/horizon/images/(.)\|/SAAS/jersey/manager/api/images/(.)\|/hc/(.)/authenticate/(.)\|/hc/static/(.)\|/SAAS/auth/saml/response\|/SAAS/auth/authenticatedUserDispatcher\|/web(.)\|/SAAS/apps/\|/SAAS/horizon/portal/(.)\|/SAAS/horizon/fonts(.)\|/SAAS/API/1.0/POST/sso(.)\|/SAAS/API/1.0/REST/system/info(.)\|/SAAS/API/1.0/REST/auth/cert(.)\|/SAAS/API/1.0/REST/oauth2/activate(.)\|/SAAS/API/1.0/GET/user/devices/register(.)\|/SAAS/API/1.0/oauth2/token(.)\|/SAAS/API/1.0/REST/oauth2/session(.)\|/SAAS/API/1.0/REST/user/resources(.)\|/hc/t/(.)/(.)/authenticate(.)\|/SAAS/API/1.0/REST/auth/logout(.)\|/SAAS/auth/saml/response(.)\|/SAAS/(.)/(.)auth/login(.)\|/SAAS/API/1.0/GET/apps/launch(.)\|/SAAS/API/1.0/REST/user/applications(.)\|/SAAS/auth/federation/sso(.)\|/SAAS/auth/oauth2/authorize(.)\|/hc/prepareSaml/failure(.)\|/SAAS/auth/oauthtoken(.)\|/SAAS/API/1.0/GET/metadata/idp.xml\|/SAAS/auth/saml/artifact/resolve(.)\|/hc/(.)/authAdapter(.)\|/hc/authenticate/(.)\|/SAAS/auth/logout\|/SAAS/common.js\|/SAAS/auth/launchInput(.)\|/SAAS/launchUsersApplication.do(.)\|/hc/API/1.0/REST/thinapp/download(.)\|/hc/t/(.)/(.)/logout(.)\|/SAAS/auth/wsfed/services(.)\|/SAAS/auth/wsfed/active/logon(.*))
Auth Cookie	Enter the authentication cookie name. For example: `HZN`
Login Redirect URL	If the user logs out of the portal, enter the redirect URL to log back in. For example: `/SAAS/auth/login?dest=%s`
Proxy Host Pattern	External hostname used to check the incoming host to see whether it matches the pattern for that particular instance. Host pattern is optional, when configuring Web reverse proxy instances.
Trusted Certificates	Add a trusted certificate to this edge service. Click '+' to select a certificate in PEM format and add to the trust store. Click '-' to remove a certificate from the trust store. By default, the alias name is the filename of the PEM certificate. Edit the alias text box to provide a different name.
Response Security Headers	Click '+' to add a header. Enter the name of the security header. Enter the value. Click '-' to remove a header. Edit an existing security header to update the name and the value of the header. Importante: The header names and values are saved only after you click Save. Some standard security headers are present by default. The headers configured are added to the Unified Access Gateway response to client only if the corresponding headers are absent in the response from the configured back-end server. Nota: Modify security response headers with caution. Modifying these parameters might impact the secure functioning of Unified Access Gateway .
Host Entries	Enter the details to be added in /etc/hosts file. Each entry should include an IP, a hostname, and an optional hostname alias in that order, separated by a space. For example, `10.192.168.1 example1.com, 10.192.168.2 example2.com example-alias`. Click the '+" sign to add multiple host entries. Importante: The host entries are saved only after you click Save.

Nota:

UnSecure Pattern, Auth Cookie, and Login Redirect URL options are applicable only with VMware Identity Manager. The values provided here are also applicable to Access Point 2.8 and Unified Access Gateway 2.9.

Nota:

The Auth Cookie and UnSecure Pattern properties are not valid for authn reverse proxy. You must use the Auth Methods property to define the authentication method.

Click Save.

Qué hacer a continuación

To enable identity bridging, see Configurar las opciones del puente de identidades.