Reverse Proxy – Three
Myths Busted
Discover the real facts about how reverse proxy enables enhanced
security and IT efficiency.
Written by Joe Campbell, Principal Solutions Architect, Dell Software
Abstract
Most enterprises today use forward proxy (or simply “proxy”)
technology all the time. In particular, they use web proxies—
internal users don’t actually connect directly to the internet,
but to a proxy server. This proxy server captures the data from
requested websites and forwards it to users behind the firewall,
usually without the user even knowing the proxy exists. Web
proxies can enhance security (for example, by blocking access
to certain websites), enable tracking of user web activity, and
improve performance by caching website content for reuse.
Although forward proxies are commonplace, some
organizations have been reluctant to take advantage of a similar
technology, the reverse proxy. Like forward proxies, reverse
proxies can improve security and performance—and they
offer a host of additional benefits as well, including encryption,
load balancing and even single sign-on (SSO). This white
paper explains the reverse proxy server and debunks three key
myths that may be keeping your organization from reaping the
benefits of this valuable technology.
Forward proxies, especially web proxies, are commonplace
in organizations today, for good reason. With a web proxy,
internal users don’t actually connect directly to the internet but
to a proxy server that captures the content from a website and
forwards it to the user behind the firewall, as illustrated in Figure
1. Usually, the user does not even know the proxy exists—it is
transparent to the user.
Reverse proxies
can improve
security and
performance—and
they offer a host of
additional benefits
as well, including
encryption, load
balancing and even
single sign-on (SSO).
Proxies like this can provide a number of
benefits to organizations:
• Security – A proxy can restrict access to
sites known for objectionable or dangerous
material like phishing attacks, malware and
Trojan horses.
• Auditing – A proxy server can track access
requests and provide forensic details and
logging to security experts looking for
details during a security audit.
• Performance – Some proxies support
website caching—the proxy captures the
web page content and saves it locally.
When a user requests a cached page, it
can be rendered almost immediately since
it does not need to be downloaded again
from the internet.
User
The reverse proxy server
A reverse proxy is essentially the same
technology but in reverse: while a
forward proxy proxies on behalf of users
or other clients accessing almost any
internet site, a reverse proxy proxies
on behalf of a particular set of servers
stationed behind an internet site, as
shown in Figure 2.
Reverse proxies can (and often do)
obfuscate or hide the origin of the
website the user is trying to access.
For example, the user in Figure 3 is
requesting sitea.reverserproxy.com but,
without knowing it, is actually receiving
data from hidden.sitea.com.
Web proxy
Internet
Figure 1. A web proxy in action
Site A
User
Internet
Reverse proxy
Site B
Figure 2. A reverse proxy
2
User request
sitea.reverseproxy.com
User
Proxied request
hidden.sitea.com
Reverse proxy
Web server
Figure 3. Reverse proxy in action
Setting up a reverse proxy offers
significant benefits:
• Access control – A reverse proxy can
capture requests to a targeted website and
reject or deny each request based on a
security policy.
• Encryption – A reverse proxy can encrypt
or apply SSL to a site that is otherwise
unsecure or not encrypted.
• Caching – A reverse proxy can often cache
certain items like pictures or HTML code
for targeted websites, which will speed the
user’s browsing experience.
• Extranet access – A reverse proxy can
securely render an internal webpage to
users outside the firewall. In this model, the
actual server itself remains untouched by
external user, whose access is limited to
what the reverse proxy is allowed to show.
• User session management and SSO –
Some reverse proxies are capable of
injecting code or automatically replying
to downstream server requests for
authentication to a requested website. In
this model, SSO can be achieved with a site
that would otherwise never support that
capability.
Debunking three important myths
about reverse proxies with Dell One
Identity Cloud Access Manager
Unfortunately, many organizations are
missing out on the benefits of reverse
proxies because of three common myths:
• VPN technology is the best way to ensure
network security.
• A proxy will create an application
bottleneck.
• Firewalls are secure; reverse proxies are not.
Let’s debunk these myths and explore
how the right reverse proxy solution—
such as Dell One Identity Cloud Access
3
Manager, part of the Dell One Identity
products from Dell Software—can
be a valuable component of your
network infrastructure.
Myth #1: VPN technology is the best
way to ensure network security.
Firewalls are an essential part of any
network security strategy, and they often
include Virtual Private Network (VPN)
technology for secure access to internal
resources. VPN is an extremely useful
technology for organizations because
it enables a computer to securely send
and receive data across the internet as if
it were directly connected to the private
corporate network.
However, VPN has important limitations.
First, VPN software must be installed on
the client computer, which limits user
access to the technology. For instance,
suppose you are at a public place, like
your local library, and you receive an
urgent message on your phone that
requires you to immediately access
an internal site and update some data
in your HR system. But, of course, the
librarian isn’t going to offer you a local
admin account on their computer
network so you can’t install your VPN
software and get the secure access
you need. In situations like this, VPN
technology is useless.
Moreover, VPN technology is best suited
for your internal trusted employees
only. Organizations that use VPN to
provide partners with secure access to
internal applications make themselves
more vulnerable to attack. When a user
connects via your VPN gateway, they are
essentially on your network—they can
A reverse proxy
server can deliver
secure intranet
access without the
limitations of VPN.
search for vulnerabilities using methods
like port scanning or simple ping scripts.
Therefore, the idea that VPN is the
solution for all your secure access needs
is a myth.
The Cloud Access
Manager reverse
proxy engine runs
as a self-hosted web
service and was
written for speed—a
single proxy server
is typically enough
to handle the
application load for
a medium-sized
enterprise.
Fact: You can use a reverse proxy to
grant secure intranet access.
A reverse proxy server, on the other
hand, can deliver secure intranet
access without the limitations of VPN.
First, a reverse proxy, such as Cloud
Access Manager, offers a zero-footprint
requirement on the user’s machine. This
means that there is no software to install,
and no requirement for browser plug-ins
or certificate management. Users at the
library, on the corporate network, or on
mobile devices can all equally access
secure intranet resources.
A reverse proxy also enables you to
provide secure access to partners and
other external users. Cloud Access
Manager can act as a gateway to your
internal sites. Before users can access
anything within a network secured by
Cloud Access Manager, they must first
authenticate, and then their attributes
and group membership will be used to
govern exactly what they can access.
Moreover, since users accessing a reverse
proxy are not actually on your secured
network, it is impossible for them to
search the network for vulnerabilities.
In addition, Cloud Access Manager
provides a simple to follow, wizarddriven interface that even the newest
web administrators can use. There
are no complicated terminologies or
instructions to learn, so you can securely
provide your users and partners with
secure access to an internal site in just a
few minutes.
Myth #2: A proxy will create an
application bottleneck.
Organizations worry about having
their applications flowing through a
single server, especially if they have
experienced bottlenecks in the past.
And often a reverse proxy is tasked with
doing more than a forward proxy—it
4
needs to rewrite links, filter traffic
according to security policies and, in the
case of Cloud Access Manager, provide
SSO by injecting credentials and respond
to security challenges of downstream
servers. So concerns about bottlenecks
are legitimate. However, times have
changed, and so has our technology.
Fact: Today’s technology makes reverse
proxies reliable with no performance
bottlenecks.
The Cloud Access Manager reverse
proxy has been written from the ground
up with performance in mind, and has
evolved over 15 years of development
and customer experience. Over that
time, new features have been added,
including proxy tuning, customized
scripting and built-in load-balancing.
If you had asked a game developer in
the early 90s to write a 3D game engine
that simulated water accurately, they
would have laughed. Sure, they could
have written one, but you would have
needed a powerful graphics workstation
to run it. Today, a small game console is
capable of nearly perfect fluid simulation.
Power computing and virtualization has
finally caught up to the technology.
Taking advantage of that technology,
the Cloud Access Manager reverse
proxy engine runs as a self-hosted web
service and was written for speed—a
single proxy server is typically enough
to handle the application load for a
medium-sized enterprise. Organizations
who want to scale their installation
need only to add another proxy; the
server will auto-discover the rest of the
Cloud Access Manager deployment and
configure itself appropriately.
In short, thanks to years of fine tuning
and today’s processing power and
scalability, bottlenecks are simply not
an issue for the Cloud Access Manager
reverse proxy. It’s worth pointing out
that Dell has been running the Cloud
Access Manager reverse proxy in its own
environment for years, with only two
production proxies (a good fail-over
strategy). The Cloud Access Manager
reverse proxy delivers a real solution
to the challenge, and does so with
reliability and performance.
Myth #3: Firewalls are secure;
reverse proxies are not.
The final myth can be summed up as
follows: Firewalls are secure and reverse
proxies aren’t firewalls. Therefore,
reverse proxies are not secure. The
truth is, a reverse proxy solution is often
more secure than a firewall VPN strategy.
But the more important truth is that
organizations do not have to choose
between a firewall and a reverse proxy—
they can have both.
Fact: You can choose both a firewall
and a reverse proxy.
Using a reverse proxy does not mean
no longer using firewalls. In fact, you
shouldn’t even consider installing a
reverse proxy on a machine that does
not have a firewall, or at least behind
one on your network.
Think of traffic on your network as the
stations on your radio. In the United
States, FM radio channels are split into
frequencies ranging from 87.8 MHz
to 108.0 Mhz, and the jump between
frequencies is 0.2 Mhz. So, a U.S. FM
radio receiver can receive about 101
different radio channels. In today’s
network technology, a similar method
is used to separate traffic on the wire.
There are 65,535 possible channels,
called ports, to move information
around on a network. Websites typically
transmit on port 80, while secure sites
like your bank are on port 443.
The problem is there really isn’t any
requirement that certain types of data
travel on certain ports. You could easily
design your website to travel on port
12345 as easily as you could get it to
transmit on port 80.
This huge number of ports is exactly
what a firewall is designed to secure.
For instance, let’s say you have installed
a secret banking web service on port
1080 and you want to make sure that
only the banking website can call that
web service. You could easily configure
a firewall with a policy to do just that,
as illustrated in Figure 4. Beyond that,
the firewall should simply block all
unassigned and unsecured ports by
default. This is the job of a firewall, and
this is the job of a firewall when it’s
applied to a reverse proxy solution.
A reverse proxy solution isn’t a firewall,
nor does it pretend to be. As noted
earlier, Figure 3 shows a reverse
proxy securing the sites behind an
organization’s firewall. Since the proxy
Unauthorized
website
Secure banking
web service
Banking
website
Figure 4. A firewall allowing a specific banking website to access a secure banking web
service and, but blocking access to the service from all other websites
5
Using a reverse
proxy to secure
access to internal
sites can be more
secure than using a
firewall alone.
supports traffic only on port 443 (the
secure SSL gateway), port scanning is
simply impossible. More than that, a user
trying to access hidden.site.com cannot
do so; it is simply impossible.
The truth is, using a reverse proxy to
secure access to internal sites can be
more secure than using a firewall alone.
There is no real comparison to be made
between a firewall and a reverse proxy
server. They are two different solutions
providing two essential and different
features.
About Dell One Identity Cloud
Access Manager
Dell Software recently released the
next generation of its solution for
access management, including access
management for remote users. The
new Dell One Identity Cloud Access
Manager solution represents a huge leap
in usability and features for securing and
managing access. More than a simple
single sign-on product, Cloud Access
Manager is a full-fledged web access
management solution.
Cloud Access Manager uses reverse
proxy technology to provide
authenticated and authorized users
connecting from the internet or a
partner organization’s network with
secure intranet access to applications
that are hosted safely behind your
organization’s firewall. Cloud Access
Manager delivers the following benefits:
• User-specific application portal – Cloud
Access Manager provides each user with
a web application portal customized to
their security profile. Users can launch
applications from this portal and add
applications to the portal from a secure
application catalog.
6
• Just-in-time (JIT) provisioning – Before a
user can use a web property like Google
Apps, Salesforce.com or Office 365, they
must be provisioned to the platform.
Many products offer a ‘big bang’ or ‘dirsync’ provisioning strategy in which all
members of a particular security group
are provisioned en masse. This strategy
often results in cost overruns, since more
people are provisioned than are actively
using the service. With a JIT strategy, users
who match the correct security profile are
provisioned only when they specifically ask
for access or add the application to their
portal collection.
• Single sign-on – Cloud Access Manager’s
approach to SSO is unique in the industry.
Rather than focusing only on the modern
challenges of federation used in with
technologies like SAML and WS-Federation,
Cloud Access Manager offers a balanced
solution. It supports modern federation, but
also adds support for legacy authentication
methods like forms-based, basic and
Windows authentication.
• Secure intranet access from the internet
without VPN – Cloud Access Manager’s
reverse proxy engine not only provides
SSO to legacy applications, but will serve
users from outside the firewall secure
access to internal applications. This is
achieved without any additional plug-ins,
server agents, or requirement to install VPN
software on the client machine.
• Tuning and scripting capabilities – With
less mature reverse proxy technologies,
internal websites with unique HTML or
scripting features are often not re-written
correctly in the proxy, forcing organizations
to either leave applications out of the proxy
or wait for the product team to implement
a new translation. Cloud Access Manager’s
unique tuning and scripting capabilities
enable you to respond to an application’s
unique HTML requirements without
changing the core product. That means
you can maintain the mappings yourself.
Conclusion
Reverse proxies have come of age
and the myths keeping them out of
widespread use are simply that—myths.
As we’ve illustrated here in busting these
myths, reverse proxies are a valuable
part of any secure web access strategy,
supplementing the security of your
firewalls and overcoming the limitations
of VPN technologies.
Cloud Access Manager’s reverse proxy
unlocks the potential of integrating
securely with your partners, keeping
users happy with high performance,
and enabling SSO solutions previously
thought impossible.
About the author
Joe Campbell is Principal Solutions
Architect at Dell Software. He is an
accomplished software developer with
an extremely diverse background. His
professional career spans innovations
for some of the world’s biggest
companies, and he’s pioneered new,
award-winning technologies in wireless,
RFID, visualization, communications and
telephony. Joe’s unmatched experience
in leading security and software
architecture makes him a highlyrespected visionary and leader in the
technology industry.
For More Information
© 2014 Dell, Inc. ALL RIGHTS RESERVED. This document
contains proprietary information protected by copyright. No
part of this document may be reproduced or transmitted in
any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose without the
written permission of Dell, Inc. (“Dell”).
Dell, Dell Software, the Dell Software logo and products—as
identified in this document—are registered trademarks of Dell,
Inc. in the U.S.A. and/or other countries. All other trademarks
and registered trademarks are property of their respective
owners.
The information in this document is provided in connection
with Dell products. No license, express or implied, by estoppel
or otherwise, to any intellectual property right is granted by
this document or in connection with the sale of Dell products.
EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS
SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
About Dell Software
Dell Software helps customers unlock greater potential through
the power of technology—delivering scalable, affordable and
simple-to-use solutions that simplify IT and mitigate risk. The Dell
Software portfolio addresses five key areas of customer needs:
data center and cloud management, information management,
mobile workforce management, security and data protection.
This software, when combined with Dell hardware and services,
drives unmatched efficiency and productivity to accelerate
business results. www.dellsoftware.com.
If you have any questions regarding your potential use of
this material, contact:
Dell Software
5 Polaris Way
Aliso Viejo, CA 92656
www.dellsoftware.com
Refer to our Web site for regional and international
office information.
7
WhitePaper-ReverseProxy-US-VG-24426
DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS
ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING
TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR
A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL
DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES
FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS
OF INFORMATION) ARISING OUT OF THE USE OR INABILITY
TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no
representations or warranties with respect to the accuracy or
completeness of the contents of this document and reserves
the right to make changes to specifications and product
descriptions at any time without notice. Dell does not make
any commitment to update the information contained in this
document.