Is it recommended to use forward and reverse proxy on the same ProxySG
search cancel

Is it recommended to use forward and reverse proxy on the same ProxySG

book

Article ID: 244701

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Requirement to have mixed architecture of forward and reverse proxy on the same ProxySG device.

Resolution

While having forward proxy and reverse on the same appliance is technically possible by created services,  it would be highly not recommended and not official support setup. 

Main reasons include be to limit to. 

--- It would not be network architecture best practice. Networking topologies for a reverse proxy (typically facing external users via Public IP address /NAT/Firewall ) deployment differs from that of a forward proxy (typically between internal users and internet service provider).

An ideal network design would have one path to internet using forward proxy where rules for SSL intercept , Content filtering would be configured to protect users using internet.

For inbound connection internet to internal servers a reverse proxy with Web application firewall rules would be configured for protect web application servers from inbound attacks.

Usually we want the two functions in different physical sections of the network with different firewall \ security profiles.

--- Customization of policy rules would be needed to handle forward and reverse proxy services,  And these would be opposing configurations (in direct conflict) with each other.


On performance front, Reverse proxy setup is known for using up client workers which will in turn start affecting forward proxy users also. 

The deployment guide for SSL proxy also stats "Depending on your needs, you can use the ProxySG appliance as either an SSL proxy or an HTTPS reverse proxy."

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/SSL_Proxy_PDF.pdf Page 8 - SSL Proxy Versus HTTPS Reverse Proxy