Forward Proxy Service Object (Egress / East-West)
Forward Proxy services are specifically used for HTTP based traffic. The object defines a listener port that the Multicloud Defense Gateway listens for the traffic it receives and forwards to the address/host that's available in the TLS SNI extension header or HTTP Host Header.
Note | We recommend using this for egress/East-West traffic. |
If the connection type is set to Forward Proxy, the traffic flow is proxied through the gateway at various layers depending on the proxy type. The session from the client is terminated on the gateway instance and a new session is established from the gateway instance to the destination. The gateway instance behaves as a mediator in the middle. The gateway instance listens for the HTTP host header or the TLS hello packet. Once it receives the packet, it extracts the domain and connects to the host using the specified protocol and destination port. For encrypted traffic, a self-signed certificate is required to decrypt, inspect and re-encrypt traffic.
Operating in forward-proxy mode at the TLS layer requires a gateway instance to present a self-signed certificate to the client initiating the connection request. Self-signed certificate body is imported into the Multicloud Defense Controller. The associated private key can be imported to the Multicloud Defense Controller in the following ways:
-
Import the private key.
-
Store in AWS Secrets Manager and provide the secret name.
-
Store in AWS KMS and provide the cipher text contents.
-
Store in GCP Secrets Manager and provide the secret name.
-
Store in Azure KeyVault and Secret and provide the keyvault and secret name.
Use the following procedure to create and add a forward proxy service.
Procedure
Step 1 | In the Security Cloud Control platform menu, choose . | ||||||||||
Step 2 | Navigate to . | ||||||||||
Step 3 | Click Create. | ||||||||||
Step 4 | Click Forward Proxy. | ||||||||||
Step 5 | Provide a name and description. | ||||||||||
Step 6 | Optionally, select the Application IDs to match. | ||||||||||
Step 7 | Configure proxy parameters as defined below.
|