Cisco Web Security Appliance

Difference between Transparent and Forward proxy mode

Document ID: 117940

Updated: Jul 15, 2014

Contributed by Jakob Dohrmann and Siddharth Rajpathak, Cisco TAC Engineers.



What is the difference between Transparent and Forward proxy mode?

The goal of a proxy is to be the middle man (proxy) between HTTP clients and HTTP servers. This specifically means that the Cisco Web Security Appliance (WSA), as a web proxy, will have two sets of TCP sockets per client request:

Client -> WSA 
WSA -> Origin server

How the WSA HTTP proxy obtains the client's request can be defined as one of two ways: Transparently or Explicitly.

Each of these deployments have several specific configuration options:

TransparentLayer 4 Switch (PBR) A Layer 4 switch is used to redirect based on destination port 80
 Transparent WCCP A WCCP v2 enabled device (typically a router, switch, PIX, or ASA) redirects port 80
TransparentBridged modeDual NICs, virtually paired. Traffic goes in one NIC and out the other (not available)
ExplicitBrowser ConfiguredClient browser is explicitly configured to use a proxy
Explicit.PAC file configuredClient browser is explicitly configured to us a .PAC file, which in turn, references the proxy

The WSA can use all of these deployments except for bridged mode. This is expected to be available in the near future.

When requests are being redirected to the WSA transparently, the WSA must pretend to be the OCS (origin content server), since the client is unaware of the existence of a proxy. On the contrary, if a request is explicitly sent to the WSA, the WSA will respond with it's own IP information.

There are a few differences between explicit and transparent client HTTP requests:

1. An explicit request has a destination IP address of the configured proxy. A transparent request has a destination IP address of the intended web server (DNS resolved by the client).

2. The URI for a transparent request does not contain the protocol with the host:

TransparentGET / HTTP/1.1
ExplicitGET HTTP/1.1

Both will contain an HTTP Host header that specifies the DNS host.

WSA Configuration

The WSA can be configured for "transparent" or "forward". This is slightly misleading, as this is really "transparent" or "explicit" mode, both of which are forward proxy deployments. Reverse proxy is where the proxy is intended to be on the same network as the HTTP servers and its purpose is to serve up content for these HTTP servers.

The only major difference between transparent and forward mode on the WSA is that in transparent mode, the WSA will respond to both transparent and explicit HTTP requests. Whereas in explicit, the WSA ONLY responds to explicit HTTP requests.

The WSA will always send its upstream request as a transparent style request, since the WSA is acting as it's own client, UNLESS the WSA is configured to specifically use an explicit upstream proxy.

The following is another difference between transparent and explicit authentication:

Transparent  401 - is sent from the WSA when authentication is required. This is also what the OCS would send.
Explicit407 - is sent from the WSA to tell the client that an HTTP proxy requires authentication.
Updated: Jul 15, 2014
Document ID: 117940