Is anyone using this?
Is the added complexity worth the added layer of security? Having the UAG appliances in the DMZ and setting up reverse proxy seems secure enough.
Also is cascade mode only supported with Workspace ONE?
It is supported for normal horizon deployments as well. Cascade mode support was introduced in UAG for organizations where DUAL DMZ mode is mandatory. In this deployment mode, a Unified Access Gateway is deployed in the outward facing DMZ and acts as a Web Reverse Proxy. Then, another Unified Access Gateway is deployed on the internal DMZ, and acts as a Horizon edge service. External users connect through the first DMZ layer, then the second, before accessing the internal network.
If you don't have any such compulsion in your org, you don't need to setup cascade mode deployment.
It is supported for normal horizon deployments as well. Cascade mode support was introduced in UAG for organizations where DUAL DMZ mode is mandatory. In this deployment mode, a Unified Access Gateway is deployed in the outward facing DMZ and acts as a Web Reverse Proxy. Then, another Unified Access Gateway is deployed on the internal DMZ, and acts as a Horizon edge service. External users connect through the first DMZ layer, then the second, before accessing the internal network.
If you don't have any such compulsion in your org, you don't need to setup cascade mode deployment.
The biggest benefit of cascade mode that I've seen is avoiding having just one UAG in the DMZ, which in turn connects directly to the internal Horizon subnet that hosts the virtual desktops.
My assumption is that having MFA as a requirement for external users may be a sufficient level of security, since the inbound traffic to the Horizon desktop subnets must happen at some point in the traffic flow regardless.