Haifeng's Blog

Using Edge SWG as a Reverse Proxy

by · Published · Updated

To test the reverse proxy functionality, we prepared two ESXi servers as backend web services.
The goal is to use a single Edge SWG device to expose these services with different domain names.

This article explains how to implement reverse proxy forwarding using Edge SWG.

1. Lab Topology

  • Client: Windows domain member (using AD DNS for name resolution)
  • AD Server: Provides DNS service
  • Edge SWG: Reverse proxy listening on 443
    • IP: 172.16.30.240
  • Backend services: Two ESXi web interfaces
    • ESXi-1: 172.16.30.101:443
    • ESXi-2: 172.16.30.102:443

Requirement:
– https://esxi1.lab.local → forward to ESXi-1
– https://esxi2.lab.local → forward to ESXi-2

2. DNS Configuration (AD Server)

Create two A records on the AD DNS server:

esxi1.lab.local → 172.16.30.240   (Edge SWG)
esxi2.lab.local → 172.16.30.240   (Edge SWG)

Thus, clients always reach Edge SWG when accessing these domains.

3. Edge SWG Configuration

3.1 Proxy Services

Go to Configuration → Services → Proxy Services, edit the HTTPS service, and change its type to:
– HTTPS Reverse Proxy

Also configure the certificate(keyring) for this service so it matches the accessed domains.

3.2 Forwarding Hosts

In Configuration → Forwarding → Forwarding Hosts, create:

Name: esxi1
Type: Server
IP Address: 172.16.30.101
Port: 443

Name: esxi2
Type: Server
IP Address: 172.16.30.102
Port: 443

3.3 VPM Configuration (Web Reverse Proxy Layer)

  • Add a new Web Reverse Proxy Layer in VPM.
  • Create two rules:
Rule 1: Forward to ESXi-1
- Condition: Destination = esxi1.lab.local (Server URL - Simple Match)
- Action: Select Forward → esxi1

Rule 2: Forward to ESXi-2
- Condition: Destination = esxi2.lab.local (Server URL - Simple Match)
- Action: Select Forward → esxi2
  • Save and install the policy.

4. Client Testing

  1. On the client, check DNS resolution: 
    • nslookup esxi1.lab.local
    • nslookup esxi2.lab.local 
    • Both should resolve to 172.16.30.240.
  2. In a browser:
    • https://esxi1.lab.local → ESXi-1 web interface
    • https://esxi2.lab.local → ESXi-2 web interface

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *