You can enforce restricted access to your Pega application instances, whether you use an on-premise server or Pega Cloud® Services. When you confine the access to your Pega Customer Service application, you can still make the Pega Customer Service Chat accessible to end-users. You can provide public access to Pega Customer Service Chat while keeping the Pega account restricted as follows:
Reverse proxy server for Pega web chatbot
You can use several types of servers to implement the reverse proxy functionality, ranging from Microsoft Internet Information Services (IIS) web servers to enterprise-class network devices.
To configure Pega Customer Service Chat behind a reverse proxy server, you need to complete the following two configurations:
- You configure the reverse proxy server to allow requests matching the
- If Transport Layer Security (TLS) is terminated in the reverse proxy
server, to inform Pega Platform to use HTTPS for constructing absolute URLs,
set the value of
Note: You need not set the value of
X-Forwarded-Protofor Pega Cloud Services instances.
Include a web application firewall for increased security
Deploying a web application firewall in the reverse proxy server protects your Pega
account from malicious web traffic that is intended to exploit any security
Reverse proxy IP addresses as allowed source of traffic with Pega Cloud support
To provide a secure connection, most clients whose Pega Cloud Services applications are private (that is, not accessible through an open internet connection) use a VPN connection between their network and their Pega Cloud Services environments. Users need access to the VPN to use their applications.
To allow end-user access to Pega through the reverse proxy server, you list the reverse proxy server IP addresses as safe. This way, you can create a list of trusted IP addresses or ranges from which your users can access your domains without using a VPN connection.
To add the IP address of your reverse proxy server, your Cloud Security contact needs to approve it. They should raise a support request that is reviewed and approved by Pega security team.
Web socket support in the reverse proxy server
Pega Customer Service uses the WebSocket protocol for bi-directional communication between the chat client, the Pega Customer Service server, and the Pega Customer Service chat server. For efficient performance and high availability of Pega Customer Service Chat, you need to enable the WebSocket protocol in the reverse proxy server by following the reverse proxy product instructions.
The reverse proxy server domain name in the trusted origins in the CS application
To open a channel between the host site and a Pega application, configure the application permissions by specifying a list of trusted domains in the CS Application rule. You add the reverse proxy server domains to the CS application rule as trusted origins. The list contains the URLs on which you are deploying the Pega Customer Service chatbot and informs Pega that the chatbot requests originating from those web pages are legitimate.