VMware Workspace ONE Community
porzech
Enthusiast
Enthusiast
‎12-15-2017 09:29 PM
Jump to solution

On-premise UAG as a reverse proxy with IDM for authentication

I am working to achieve following results.

  • The UAG sits in DMZ and it is used as a reverse proxy for internal web application that is not directly visible from Internet - only through UAG reverse proxy
  • While user connects from Internet to external address hosted by UAG, UAG before proxing user will ask IDM to authenticate user and if user authenticates himself UAG will proxy user to internal web application
  • The internal application has its own authentication mechanism which is separate and not connected to IDM

I have read VMware Docs on (1, 2) as well as 3 threads in this forum dealing with UAG and IDM and still I am confused how to achieve the above.

Can anybody verify if it can be done with UAG/IDM pair and which steps should I take to accomlish this? Or advise if there is other, better way?

Just to clarify why I go that way: finally I want to have two factor auth provided by VMware Verify to access this internal app.

Thanks

Pawel

0 Kudos
1 Solution

Accepted Solutions
porzech
Enthusiast
Enthusiast
‎12-17-2017 08:48 AM
Jump to solution

After more reading I know that required results can not be achieved. But there are workarounds:

  1. If we want to add additional authentication to web app behind UAG it has to be firstly integrated with IDM with SAML mechanism. Then we can have this webapp and IDM presented through UAG so the authentication between those two goes in front of UAG and then authenticated traffic to webapp is passed through UAG. Since internal webapp will be integrated with IDM we can there modify policy for additional authentication methods.
  2. The other way it can be accomplished is two present internet browser app with internal application address hard coded as Horizon app and then presented it through IDM portal adding policy in IDM for additional authentication eg. with VMware Verify.

If someone has more in-depth UAG/IDM knowledge then please verify the above.

View solution in original post

0 Kudos
1 Reply
porzech
Enthusiast
Enthusiast
‎12-17-2017 08:48 AM
Jump to solution

After more reading I know that required results can not be achieved. But there are workarounds:

  1. If we want to add additional authentication to web app behind UAG it has to be firstly integrated with IDM with SAML mechanism. Then we can have this webapp and IDM presented through UAG so the authentication between those two goes in front of UAG and then authenticated traffic to webapp is passed through UAG. Since internal webapp will be integrated with IDM we can there modify policy for additional authentication methods.
  2. The other way it can be accomplished is two present internet browser app with internal application address hard coded as Horizon app and then presented it through IDM portal adding policy in IDM for additional authentication eg. with VMware Verify.

If someone has more in-depth UAG/IDM knowledge then please verify the above.

0 Kudos