What is the difference between Transparent and Forward proxy mode?
The goal of a proxy is to be the middle man (proxy) between HTTP clients and HTTP servers. This specifically means that the Cisco Web Security Appliance (WSA), as a web proxy, will have two sets of TCP sockets per client request:
Client -> WSA WSA -> Origin server
How the WSA HTTP proxy obtains the client's request can be defined as one of two ways: Transparently or Explicitly.
Each of these deployments have several specific configuration options:
Layer 4 Switch (PBR)
A Layer 4 switch is used to redirect based on destination port 80
A WCCP v2 enabled device (typically a router, switch, PIX, or ASA) redirects port 80
Dual NICs, virtually paired. Traffic goes in one NIC and out the other (not available)
Client browser is explicitly configured to use a proxy
.PAC file configured
Client browser is explicitly configured to us a .PAC file, which in turn, references the proxy
The WSA can use all of these deployments except for bridged mode. This is expected to be available in the near future.
When requests are being redirected to the WSA transparently, the WSA must pretend to be the OCS (origin content server), since the client is unaware of the existence of a proxy. On the contrary, if a request is explicitly sent to the WSA, the WSA will respond with it's own IP information.
There are a few differences between explicit and transparent client HTTP requests:
1. An explicit request has a destination IP address of the configured proxy. A transparent request has a destination IP address of the intended web server (DNS resolved by the client).
2. The URI for a transparent request does not contain the protocol with the host:
GET / HTTP/1.1
GET http://www.google.com/ HTTP/1.1
Both will contain an HTTP Host header that specifies the DNS host.
The WSA can be configured for "transparent" or "forward". This is slightly misleading, as this is really "transparent" or "explicit" mode, both of which are forward proxy deployments. Reverse proxy is where the proxy is intended to be on the same network as the HTTP servers and its purpose is to serve up content for these HTTP servers.
The only major difference between transparent and forward mode on the WSA is that in transparent mode, the WSA will respond to both transparent and explicit HTTP requests. Whereas in explicit, the WSA ONLY responds to explicit HTTP requests.
The WSA will always send its upstream request as a transparent style request, since the WSA is acting as it's own client, UNLESS the WSA is configured to specifically use an explicit upstream proxy.
The following is another difference between transparent and explicit authentication:
401 - is sent from the WSA when authentication is required. This is also what the OCS would send.
407 - is sent from the WSA to tell the client that an HTTP proxy requires authentication.