For custom installations where the ingress is front ended by another gateway, then the following endpoints must be made available through the gateway:

/oaa/runtime
/oaa-policy
/policy
/oaa/rui
/oaa/authnui
/oaa-admin          
/admin-ui          
/oaa-email-factor    
/oaa-sms-factor    
/oaa-totp-factor   
/oaa-push-factor   
/oaa-yotp-factor  
/fido              
/oaa-kba           
/risk-analyzer      
/risk-cc
/oua-admin-ui
/oua/rui
/oua/drss

Each of the above endpoints must map to the ingress host and port of OAA.