PDF(6.4 KB) View with Adobe Reader on a variety of devices
ePub(83.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(69.3 KB) View on Kindle device or Kindle app on multiple devices
Updated:May 2, 2022
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the difference between the transparent and proxy mode on the Cisco Web Security Appliance (WSA).
What is the difference between transparent and forward proxy mode?
The goal of a proxy is to be the middle man (proxy) between HTTP clients and HTTP servers. This specifically means that the Web Security Appliance (WSA), as a web proxy, has two sets of TCP sockets per client request:
Client > WSA WSA > Origin server
How the WSA HTTP proxy obtains the client's request can be defined as one of two ways: Transparently or Explicitly.
Each of these deployments have several specific configuration options:
Layer 4 Switch (PBR)
A Layer 4 switch is used to redirect based on destination port 80
A WCCP v2 enabled device (typically a router, switch, PIX, or ASA) redirects port 80
Dual NICs, virtually paired. Traffic goes in one NIC and out the other (not available)
Client browser is explicitly configured to use a proxy
.PAC file configured
Client browser is explicitly configured to us a .PAC file, which in turn, references the proxy
The WSA can use all of these deployments except for bridged mode. This is expected to be available in the near future.
When requests are redirected to the WSA transparently, the WSA must pretend to be the OCS (origin content server), since the client is unaware of the existence of a proxy. On the contrary, if a request is explicitly sent to the WSA, the WSA responds with its own IP information.
There are a few differences between explicit and transparent client HTTP requests:
An explicit request has a destination IP address of the configured proxy. A transparent request has a destination IP address of the intended web server (DNS resolved by the client).
The URI for a transparent request does not contain the protocol with the host:
Both contain an HTTP Host header that specifies the DNS host.
The WSA can be configured for "transparent" or "forward". This is slightly deceptive, as this is really "transparent" or "explicit" mode, both of which are forward proxy deployments. Reverse proxy is where the proxy is intended to be on the same network as the HTTP servers and its purpose is to serve up content for these HTTP servers.
The only major difference between transparent and forward mode on the WSA is that in transparent mode, the WSA responds to both transparent and explicit HTTP requests. Whereas in explicit, the WSA ONLY responds to explicit HTTP requests.
The WSA always sends its upstream request as a transparent style request, since the WSA acts as its own client, UNLESS the WSA is configured to specifically use an explicit upstream proxy.
Here is another difference between transparent and explicit authentication:
401 - is sent from the WSA when authentication is required. This is also what the OCS would send.
407 - is sent from the WSA to tell the client that an HTTP proxy requires authentication.
Added the Introduction section and corrected typographical errors.