VMware Horizon Community
nsousaarlington
Enthusiast
Enthusiast
‎08-05-2020 07:53 AM
Jump to solution

Unified Access Gateway Cascade Mode

Is anyone using this?

Is the added complexity worth the added layer of security? Having the UAG appliances in the DMZ and setting up reverse proxy seems secure enough.

Also is cascade mode only supported with Workspace ONE?

0 Kudos
1 Solution

Accepted Solutions
Shreyskar
VMware Employee
VMware Employee
‎08-05-2020 08:58 AM
Jump to solution

It is supported for normal horizon deployments as well. Cascade mode support was introduced in UAG for organizations where DUAL DMZ mode is mandatory. In this deployment mode, a Unified Access Gateway is deployed in the outward facing DMZ and acts as a Web Reverse Proxy. Then, another Unified Access Gateway is deployed on the internal DMZ, and acts as a Horizon edge service. External users connect through the first DMZ layer, then the second, before accessing the internal network.

If you don't have any such compulsion in your org, you don't need to setup cascade mode deployment. 

View solution in original post

0 Kudos
2 Replies
Shreyskar
VMware Employee
VMware Employee
‎08-05-2020 08:58 AM
Jump to solution

It is supported for normal horizon deployments as well. Cascade mode support was introduced in UAG for organizations where DUAL DMZ mode is mandatory. In this deployment mode, a Unified Access Gateway is deployed in the outward facing DMZ and acts as a Web Reverse Proxy. Then, another Unified Access Gateway is deployed on the internal DMZ, and acts as a Horizon edge service. External users connect through the first DMZ layer, then the second, before accessing the internal network.

If you don't have any such compulsion in your org, you don't need to setup cascade mode deployment. 

0 Kudos
nsousaarlington
Enthusiast
Enthusiast
‎08-05-2020 09:05 AM
Jump to solution

The biggest benefit of cascade mode that I've seen is avoiding having just one UAG in the DMZ, which in turn connects directly to the internal Horizon subnet that hosts the virtual desktops.

My assumption is that having MFA as a requirement for external users may be a sufficient level of security, since the inbound traffic to the Horizon desktop subnets must happen at some point in the traffic flow regardless.

0 Kudos