Some large customers use separate Cloudforms UI and worker appliances and put firewalls between the UI and workers. The firewalls have rules allowing communication between the UI and worker appliances, but not directly between UI appliances and providers, such as VMware ESXi hosts. Since UI appliances provide VM console service, but UI appliances cannot directly access hypervisor hosts in such topologies, this means console service breaks when customers put UI appliances and worker appliances on opposite sides of a firewall.
Why position UI appliances and worker appliances on opposite sides of a firewall? Some believe good security practice separates the user interface from worker back ends.
This RFE asks to put together an optional console proxy service to run on worker appliances. With this option, worker appliances would handle the console interaction with VMs, and UI appliances would interact with worker appliances (instead of directly with hypervisors) to deliver console service to people.