Before you install Secure App Proxy and integrate it with Symantec Mobility: Suite, make sure that you understand how to deploy the proxy in your environment. The deployment model that is depicted below is based on Symantec's recommendations and should be followed as a best practice. All of the instructions for Secure App Proxy in this documentation are based on the following deployment model.
A: The app request is directed to your intranet URL. The request must pass through the first public-facing entry point into your network. You must open port 443 for this entry point.
Specify the FQDN or IP address of this entry port in the Host name field on the Settings > Proxies > App > New/Edit Secure App Proxy page.
B: Your network infrastructure forwards the request to the app proxy incoming NIC. (You must configure your network infrastructure to forward the request.) You configure the incoming NIC address when you install the app proxy.
C: The proxy forwards the request through the outgoing NIC to the entry point to the intranet URL. You configure the outgoing NIC address when you install the app proxy.
Add the intranet URL or domain to the White-Listed Locations table on the Policies and Rules > App Policies > New/Edit App Policy page. Configure it to listen on port 443.
In the diagram, the firewall is the first public-facing entry point. You specify the FQDN or IP address of your firewall in the Host name field on the Settings > Proxies > App > New/Edit Secure App Proxy page when you set up the proxy. The request passes through the firewall and load balancer to the incoming NIC on the proxy. The proxy forwards the request to the intranet URL through the outgoing NIC. You specify the incoming and outgoing NIC addresses when you install the proxy. You specify the IP address or domain of the intranet site in the White-Listed Locations table on the Policies and Rules > App Policies > New/Edit App Policy page when you configure the app policy.
Based on a typical deployment model, consider the following:
If you have a firewall and/or a load balancer, install Secure App Proxy behind them in a DMZ.
You can stand up multiple proxies behind a load balancer. The load balancer is expected to handle failover. When you use a load balancer, the recommended setting is to round-robin with persistence.
Symantec recommends no more than 3,000 concurrent connections per proxy.
An app can open more than one connection at a time. For example, a web browser can have 20 connections open simultaneously. Monitor your telemetry for active connections. If active connections begin to reach the maximum recommended load, set up another proxy to help balance the load.
Do not install the Secure App Proxy and Secure Email Proxy on the same server. The configuration is unsupported, and the proxies will not work properly.