Cascading UAG with Dual DMZ
- Barry Ling
- Mar 13, 2022
- 2 min read
Updated: Dec 9, 2025
In some customer environment, they not only deployed with a single DMZ but having 2 as Internal and External DMZ.
UAG is compatible with this deployment model. It has a cascaded architecture includes two instances of the UAG with separate roles.
In cascade mode, the back-end UAG resides in the Internal DMZ acting as an Horizon Edge and communicating with Connection Server. The front-end UAG resides in the external DMZ acting as a reserve proxy to the back-end UAG.
This sharing will mainly cover the setting of UAG resides in external DMZ. Showing how to setup a reversed proxy on UAG for the purpose.
For the procedure of setting up an internal UAG as Horizon Edge, please refer following sharing for details.
To start the deployment, you need to import the UAG OVF template to vCenter first. You may refer following sharing for how to import the OVF template.
After that, you will also required to obtain the thumbprint of the certificate applied on the Internal UAG. Following is an example of obtaining thumbprint from Connection. You may refer the procedure. It is the same except the target URL will be the Internal UAG link.
Once you get those things listed above done. You can continue the configuration on the External UAG.
Logon to the admin UI of external UAG.
Select and show the Edge Service Setting.
Click the "Gear" button next to the Reserve Proxy Setting.
Click "Add".
Select and enable "Enable Reverse Proxy Settings".
Assign a name for the Instance ID.
Input URL of Internal UAG to Proxy Destination URL. For example, if you can access the VDI through internal UAG with URL "intuag.testing.com", please input "https://intuag.testing.com" to the field.
*** If DNS query is restricted in DMZ, you can use IP address of internal UAG instead the URL. for example, input "https://10.10.10.92" to the field.
Input the certificate thumbprint of Internal UAG to Proxy Destination URL Thumbprint.
Input "(/broker/xml(.*)|/xmlapi(.*)|/ice/(.*)|/r/(.*)|/portal(.*)|/view-client(.*)|/)" to Proxy Pattern.
Click "Save".
Click "Close".
Wait for 5 minutes to let the setting applied on UAG. Green light will be shown next to the Reverse Proxy Setting after the setting applied.
----- END -----
This is a clear and practical walkthrough of a cascaded UAG setup with dual DMZ. I appreciate the way it separates roles: the back-end UAG in the Internal DMZ acting as Horizon Edge, and the front-end UAG in the external DMZ functioning as a reverse proxy. That architecture explanation makes it easier to reason about trust boundaries and the flow to Connection Server. As a follow-up, I’d love to see more guidance on validating proxy behavior end to end and common troubleshooting steps, especially around certificates and routing. Also, for teams concerned with anonymous browsing, anonymous browsing looks like a useful lightweight option for testing access patterns.
Great walkthrough on cascading UAG with dual DMZ—the split between the internal Horizon Edge and the external reserve proxy makes a lot of sense for tighter network segmentation. I especially liked the note about importing the UAG OVF template into vCenter first, since that’s where many deployments get delayed. One extra thought: it would be helpful to clarify which configuration items (certs, routing/firewall rules, and Connection Server communication) must be mirrored between the two UAG instances to avoid troubleshooting surprises. Also, if anyone needs a quick way to validate access paths from a browser during setup, free proxy browser could be a handy option.
Hi Barry
Deploying UAG1 as a reverse proxy in dual DMZ. When UAG2 is Horizon EDGE, it works normally internally. How to set up the network or configure UAG1 to achieve Internet access,