The Difference Between Proxies
This article describes the terminology and basic differences between proxies.
The proxy is on the same networks as the clients
If a proxy manages all outbound traffic to the web, it is a forward proxy!
The proxy is on the same network as the servers (inbound)
If a proxy sits in front of several web servers and uses round robin to balance the load, it is a reverse proxy!
In an explicit proxy, the client is configured to communicate with a proxy.
In a transparent proxy, the client attempts to communicate directly with a site and the request is intercepted.
Neither of these options is configured on the Proxy SG.
Proxy Configuration Notes – Explicit Proxy
- Requires client config (ie proxy settings in browser)
- Src:client Ip DST: SG IP > Src:SG IP DST:Server IP
- Application must be proxiable
- One way to deploy explicit proxy can be to use a PAC file.
- Another method is Proxy Auto-discovery.
- Recommended method is group policy.
- Traffic must match a service policy
In explicit proxy, when a connection is made for a service that is not running on ProxySG, the connection is rejected.
Proxy Configuration Notes – Transparent Proxy
- The SG intercepts the requests.
- Option: reflect Client IP can make the SG spoof the client IP – it is rarely used but can reflect accurate sources on servers where required. This is a global option.
- Transparent proxy can use WCCP to redirect traffic or a layer 4 switch can be used to rewrite the MAC. Last but not least, Load Balancers can be used.
- A transparent proxy also does its own DNS lookup but can be turned off (Trust Destination IP).
- If the proxy is in bridging mode or acting as a gateway, a service group does not need to be matched.
- Routing modes requires IP forwarding enabled
The proxysg can also be used as a default gateway but is not recommended.