A forward proxy is an intermediary that sits between one or more user devices and the internet. Instead of validating a client request and sending it directly to a web server, a forward proxy server evaluates the request, takes any needed actions, and routes the request to the destination on the client’s behalf. The proxy then evaluates and inspects any response, takes action as needed, and forwards it to the originating client if appropriate.
A forward proxy is far more than a traffic controller. As an intermediary, the proxy can shield users from direct access to or from bad actors as well as prevent them from compromising data and enterprise resources—intentionally or not. It operates “inline,” sitting directly in the flow of traffic, allowing an organization to identify any challenges to security and enforce needed policies in real time.
Proxies are buffers that help keep apps and data safe from harm, whether they’re the result of user errors or malicious data exfiltration and malware.
Forward Proxy vs. Traditional Firewall
Compared to firewalls as a means of protecting systems from outside threats, a forward proxy differs in two key ways:
Traditional firewalls use a passthrough approach, forwarding traffic to the intended recipient while its contents are still being inspected.
If the traffic is found to be unsafe, the firewall sends an alert—but it can be received too late. A proxy, on the other hand, doesn’t forward traffic until its contents have been through an authentication process and determined to be safe.
While not a direct comparison of proxy to firewall, it’s worth noting that a cloud-based forward proxy can also inspect encrypted traffic. As most of today’s traffic is encrypted, it’s critical to have visibility into it, but the process of decrypting, inspecting, and re-encrypting traffic is compute-intensive. Appliance-based firewalls, with inherent processing limitations, can’t handle a high volume of encryption without adding latency (however, a cloud firewall can).
Increasingly, discussions of forward proxies go hand in hand with talk of cloud access security brokers (CASBs), cloud security tools that can be deployed in forward proxy mode. With a CASB, a software agent installed on a user device forwards traffic to an inspection point in the cloud, which applies real-time security policies to foster safe connections with cloud-based resources such as SaaS apps and IaaS platforms.
As the adoption of SaaS apps and remote work increases, using a CASB’s cloud-based forward proxy mode (as opposed to a firewall or a proxy appliance, on-premises or deployed virtually) can be a powerful way to protect an organization’s managed devices.
However, when it comes to unmanaged devices, i.e., BYOD or third-party partner devices, forward proxies aren’t quite able to ensure the security of their transactions since they come from the requestor, not the client. Indeed, this use case is better served by the forward proxy’s sibling, the reverse proxy.
Forward Proxy vs. Reverse Proxy
It’s easy to get forward and reverse proxies confused, so let’s break them down.
By sitting in front of a web server, a reverse proxy server ensures no clients communicate directly with the server. A forward proxy sits in front of client endpoints to intercept incoming requests and ensure no servers communicate directly with a client such as a web browser. These types of proxies sound functionally similar, but forward proxies usually depend on a software agent installed on endpoints to forward traffic, while reverse proxies do not.
Another key difference is that reverse proxies contain a load balancer, which can be used to optimize client requests that could otherwise overwhelm a single server with high demand, promoting high availability and better load times by taking pressure off the backend server. They mainly do this in two different ways:
A reverse proxy can cache content from an origin server in temporary storage, and then send the content to clients that request it without further transacting with the server (this is called web acceleration). DNS can be used to route requests evenly among multiple reverse proxies.
If a large website or other web service uses multiple origin servers, a reverse proxy can distribute requests among them to ensure even server loads.
Why a Forward Proxy Is Needed Today
The decades-old secure perimeter model, also called “castle and moat” security, was designed to keep bad traffic from entering the internal network from the internet. Today, with applications in the cloud and many users outside the traditional perimeter, connecting from everywhere to your private apps, SaaS, and data in public clouds, that model has become outdated.
If you stick with the legacy model, your users connect through a virtual private network (VPN)—on an MPLS link, in the case of workers in branch offices—to your data center, which then sends the traffic through your outbound gateway security stack to the cloud and back again. This widens your attack surface, opening you up to significant risk. Plus, it creates a terrible digital experience for your users.
Cloud applications were designed to be accessed directly, via the shortest path, for a fast, productive experience. Appliances in the data center that allow passthrough are simply not up to the task. For fast, direct, and secure connections, you need to leverage a forward proxy that takes advantage of the performance and scale of the cloud.
Forward Proxy Use Cases
As you move to the cloud, you need a security strategy built on a cloud-based proxy architecture. Here are a few major use cases for organizations looking to embrace forward proxy (and CASB in particular).
Shadow IT Discovery
Cloud usage is spread across SaaS applications, user groups, and locations. Unsanctioned apps (i.e., shadow IT) abound, but maintaining visibility over what users access is difficult, if not impossible, without the right solutions. Forward proxy to a CASB ensures monitoring and logging of all traffic from sanctioned user devices, allowing IT to identify unsanctioned apps and govern access to them, either individually or by category.
Because SaaS apps are built to enable fast, easy sharing, it’s common for users to upload critical business data to inappropriate locations. A cloud-based forward proxy is the best way to prevent users from uploading sensitive information to risky cloud destinations because it operates inline and has the scale to inspect all traffic—plus, it can hide IP addresses.
As well as being an attractive avenue for data exfiltration, SaaS apps can be a conduit for the propagation of malware. Rapid sharing functionality can be hijacked to distribute infected files within and between organizations. A forward proxy prevents infected files from being uploaded to cloud resources by enabling technologies like advanced threat protection (ATP) and cloud sandbox to operate inline and intercept threats in transit.
How to Choose a Forward Proxy
In some ways, forward proxy servers have a bad reputation. They’re known to be expensive and complex to configure and manage. They can add latency and create a poor user experience. Additionally, if a proxy suffers downtime, it can significantly disrupt your operations. All of this is because, historically, proxies have been deployed either as physical or virtualized appliances.
Forward proxies can be a major security boon when delivered inline from the cloud, where they have none of the drawbacks of their appliance-based counterparts. A cloud-based proxy architecture eliminates the expense of purchasing and maintaining appliances and can scale as needed to meet demand. This unprecedented scalability also solves the key challenge of inspecting TLS/SSL-encrypted traffic for threats and data leaks, which is too compute-intensive for legacy proxies.
The right cloud-based forward proxy enables:
Consistent data and threat protection across all your cloud data channels with one straightforward policy.
Unified security as part of a SASE offering that supports use cases related to CASB, secure web gateway, and ZTNA for securing access to cloud apps and APIs, the web, and internal resources, respectively.
IT ecosystem simplicity through a single-pass architecture that forgoes appliances and provides advanced functionality without the need for complex proxy configurations such as proxy chaining.
When choosing a forward proxy, or a CASB specifically, it’s important to choose a vendor that has a proven inline solution and is a trusted security leader. Zscaler is built on a cloud native proxy architecture to deliver all the advantages we’ve discussed. We operate the world’s largest inline security cloud, with more than 150 data centers on six continents, serving customers in 185 countries and processing hundreds of billions of transactions every day.
Engineered for performance, Zscaler intelligently routes traffic to our nearest data center, where we peer with top applications like Microsoft 365, Zoom, Salesforce, and more to guarantee the shortest distance between users and their apps. This enhanced performance leads to an improved user experience that bolsters enterprise productivity.
Zscaler provides leading CASB capabilities, such as:
A zero trust architecture (ZTA) consistent with the Gartner vision for SASE
We provide consistent security across your IT ecosystem and wherever users connect, enabling your organization and thousands more to securely embrace digital transformation and work-from-anywhere initiatives for your remote and hybrid workforce.