Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later

PDF

Reverse proxy

Updated: June 9, 2026

Want to summarize with AI?

Describes reverse proxy, an intermediary between WAN edge devices and controllers, relaying control traffic and enhancing security by preventing direct internet connections to SD-WAN Control Components.

A reverse proxy in Cisco Catalyst SD-WAN is an intermediary network component that

relays control traffic between WAN edge devices and SD-WAN Control Components,
enhances security by preventing direct internet connections to SD-WAN Control Components, and
enables flexible deployment in single-tenant and multitenant setup.

Reverse proxy deployment and communication

In a standard overlay network, Cisco Catalyst SD-WAN edge devices initiate direct connections to the SD-WAN Control Components (SD-WAN Manager and SD-WAN Controllers) and exchange control plane information over these connections. The WAN edge devices are typically located in branch sites and connect to the SD-WAN Controllers over the internet. As a result, SD-WAN Manager and SD-WAN Controllers are also connected directly to the internet.

For security or other reasons, you may not want the SD-WAN Controllers to have direct internet connections. In such scenarios, the reverse proxy acts as an intermediary to pass control traffic between the SD-WAN Controllers and the WAN edge devices. WAN edge devices communicate with the reverse proxy, which relays traffic to and from SD-WAN Manager and SD-WAN Controllers.

You can deploy a reverse proxy in both single tenant and multitenant Cisco Catalyst SD-WAN deployments. The TLOC communicates with the reverse proxy on its public IP address and port, regardless of public or private TLOC.

The following figure illustrates a reverse proxy deployed between a WAN edge device, SD-WAN Manager and the SD-WAN Controllers.

Devices with private and public network connectivity

Describes the considerations for devices in a Cisco Catalyst SD-WAN network that connect to both private networks and the public internet.

You can use a reverse proxy in a Cisco Catalyst SD-WAN network that includes a device with these multiple TLOCs:

A TLOC that connects to an internal private network without internet access, and
A TLOC that connects to the public internet

This scenario has a specific requirement for configuring the TLOC color of each SD-WAN Controller. This table describes this special case. For comparison, the table includes examples of devices with only one TLOC, and devices that have separate TLOCs for a private network and the public internet.

Table 1. TLOC Color Requirements
Device	TLOC	TLOC Connectivity	Configure this TLOC Color as a...	The Device Connects to this SD-WAN Validator	Connectivity to: SD-WAN Controller , and SD-WAN Manager	Specific TLOC Color Requirements
A	1	Internal private network	Private color Example: private1	SD-WAN Validator reachable through the private network	Direct connectivity through the private network	None
B	1	Public internet	Public color Example: custom1	SD-WAN Validator reachable through the public internet	Connectivity through a reverse proxy	None
C	1	Internal private network	Private color Example: private1	SD-WAN Validator reachable through the private network	Direct connectivity through the private network	A network that includes a device with multiple TLOCs as shown here has this specific requirement: Configure the TLOCs for each SD-WAN Controller with the private color that you are using for the private network. Do not leave the TLOC color as default. Leaving the TLOC color for the SD-WAN Controllers as the default color causes this problem: Devices with a TLOC connecting to the internal private nework, such as Device C, cannot connect to the SD-WAN Controllers.
C	2	Public internet	Public color Example: custom1	SD-WAN Validator reachable through the public internet	Connectivity through a reverse proxy

Restrictions for reverse proxy

Multitenant scenario

In a multitenant Cisco Catalyst SD-WAN overlay network, you can deploy a reverse proxy device with only a three-node SD-WAN Manager cluster.

TLS-based control plane

Deployment of the reverse proxy is only supported with a TLS-based control plane for SD-WAN Manager and SD-WAN Controllers.

Cisco vEdge 5000 router restriction

You cannot deploy a reverse proxy with a Cisco vEdge 5000 router.

IPv6

You cannot deploy a reverse proxy with IPv6 control connections.

Devices with a TLOC for a private WAN

The following restriction applies to edge devices in a scenario where:

one or more devices have a TLOC connecting them to a private WAN
one or more SD-WAN Validators do not have reachability to a reverse proxy:
- In this scenario, Zero-Touch Provisioning (ZTP) onboarding does not support onboarding a Cisco IOS XE Catalyst SD-WAN device with a TLOC using the default TLOC color. Bootstrap the device with a minimal configuration that configures a non-default TLOC color.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.