This week I got a question from a Service Provider if it was possible to disable the Horizon Admin portal from the internet and only make the user portal publicly accessible. Due to security reasons, this Service Provider only wanted to have the Horizon Admin portal available from the local network (LAN). As it turned out, this was possible and the solution was pretty simple.

UAG settings

The answer to this question is to be found in the Unified Access Gateway (UAG) settings. To be more specific, in the Advanced Edge Service Settings. Within the UAG, we have the availability to define Proxy Patterns.

The UAG uses Proxy Patterns to forward incoming HTTPS requests to the right Edge Service, such as Horizon DaaS, or to one of the configured web reverse proxy instances such as Workspace ONE Access. It is therefore used as a filter to decide if a reverse proxy is needed to process incoming traffic. In addition, the Proxy Pattern can also be used to exclude certain URLs. 

Logon to the VMware UAG admin portal (h ttps://<UAG Mgt IP>:9443/admin) and Un-hide the Edge Service Settings.

Click the Settings button:

Scroll down and click More:

The Proxy Pattern is listed here:

The Proxy Pattern for Horizon DaaS is by default as follows:

  • /|/(..action|admin|images/|css/|js/|ajax/|appblast|appblast/|portal|view-client/|appimage/|horizonadmin|xmp|dt-rest|haca).

By simply removingadmin” and “horizonadmin” we will exclude these URL’s from being publicly available:

  • /|/(..action|images/|css/|js/|ajax/|appblast|appblast/|portal|view-client/|appimage/|xmp|dt-rest|haca).

Save the Settings and you’re done! Note: Also configure the same settings for any additional UAG(‘s) in the Load Balanced configuration, if any.

PowerShell deployment

Of course, the above configuration can also be achieved via a PowerShell deployment! Some while ago, I’ve written a blog post how to do this.

In the [Horizon] chapter, you can change the “proxyPattern=” field and (re)deploy the UAG(‘s):

  • proxyPattern=/|/(.*\.action|images/|css/|js/|ajax/|appblast|appblast/|portal|view-client/|appimage/|xmp|dt-rest|haca).*

Other Horizon family members

Is this solution only applicable for Horizon DaaS, you might ask? No, you can use the same principle for Horizon Cloud on IBM Cloud and Horizon Cloud on Azure.

For Horizon Cloud on IBM Cloud an Horizon Cloud on Azure, customers cannot do this themselves, as VMware manages the UAG’s. In other words, you need VMware to do this for you. This can be done raising a SR using the MyVMware portal.

Conclusion

Proxy Patterns provide a powerful yet simple way to forward or exclude access to certain Edge Services. In my scenario, removing the admin and horizonadmin Proxy Patterns gave the following result:

  • The Horizon Admin portal is not available anymore for external connections (from the internet)
  • The Horizon Admin portal is still available from the internal network (LAN) via the IP addresses and/or the Floating IP address of the tenant appliances or via a separate internal UAG (pair).