Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Pega Customer Service Chat in a reverse proxy server

Updated on January 29, 2021
Pega Customer Service Implementation Guide

You can enforce restricted access to your Pega application instances, whether you use an on-premise server or Pega Cloud® Services. When you confine the access to your Pega Customer Service application, you can still make the Pega Customer Service Chat accessible to end-users. You can provide public access to Pega Customer Service Chat while keeping the Pega account restricted as follows:

Reverse proxy server for Pega web chatbot

You can use several types of servers to implement the reverse proxy functionality, ranging from Microsoft Internet Information Services (IIS) web servers to enterprise-class network devices.

To configure Pega Customer Service Chat behind a reverse proxy server, you need to complete the following two configurations:

  1. You configure the reverse proxy server to allow requests matching the following patterns:
    • ws://{ClientSelfServiceApp}
  2. If Transport Layer Security (TLS) is terminated in the reverse proxy server, to inform Pega Platform to use HTTPS for constructing absolute URLs, set the value of X-Forwarded-Proto as HTTPS.
    Note: You need not set the value of X-Forwarded-Proto for Pega Cloud Services instances.

Include a web application firewall for increased security

Deploying a web application firewall in the reverse proxy server protects your Pega account from malicious web traffic that is intended to exploit any security vulnerabilities.

Note: Implementing web firewall security is optional for the Pega Cloud accounts as Pega Cloud Security team manages the application security of your accounts.

Reverse proxy IP addresses as allowed source of traffic with Pega Cloud support

To provide a secure connection, most clients whose Pega Cloud Services applications are private (that is, not accessible through an open internet connection) use a VPN connection between their network and their Pega Cloud Services environments. Users need access to the VPN to use their applications.

To allow end-user access to Pega through the reverse proxy server, you list the reverse proxy server IP addresses as safe. This way, you can create a list of trusted IP addresses or ranges from which your users can access your domains without using a VPN connection.

To add the IP address of your reverse proxy server, your Cloud Security contact needs to approve it. They should raise a support request that is reviewed and approved by Pega security team.

Web socket support in the reverse proxy server

Pega Customer Service uses the WebSocket protocol for bi-directional communication between the chat client, the Pega Customer Service server, and the Pega Customer Service chat server. For efficient performance and high availability of Pega Customer Service Chat, you need to enable the WebSocket protocol in the reverse proxy server by following the reverse proxy product instructions.

The reverse proxy server domain name in the trusted origins in the CS application

To open a channel between the host site and a Pega application, configure the application permissions by specifying a list of trusted domains in the CS Application rule. You add the reverse proxy server domains to the CS application rule as trusted origins. The list contains the URLs on which you are deploying the Pega Customer Service chatbot and informs Pega that the chatbot requests originating from those web pages are legitimate.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us