Forward Proxy services are specifically used for HTTP based traffic. The object defines a listener port that the Multicloud Defense Gateway listens for the traffic it receives and forwards to the address/host that's available in the TLS SNI extension header or HTTP Host Header.
Note |
We recommend using this for egress/east-west traffic.
|
Use the following procedure to create and add a forward proxy service.
Procedure
Step 1 | Navigate to . |
Step 2 | Click Create. |
Step 3 | Click Forward Proxy. |
Step 4 | Provide a name and description. |
Step 5 | Optionally select the Application IDs to match. |
Step 6 | Configure proxy parameters as defined below.
|
Option
|
description
|
|
Decryption Profile
|
Assign a decryption profile, which also includes the certificate. Multicloud Defense impersonates the external certificate by signing it with the certificate provided in this profile. The root certificate is assumed to be installed on all the client application instances.
|
|
Dst Port
|
Assign a destination port. For most web-based services, the destination port will be 443.
|
|
Protocol
|
HTTP or HTTPS.
|
Note |
-
Multicloud Defense listens on the Dst Port and waits for the HTTP Host header or TLS SNI Header packet. Once Multicloud Defense receives this packet it connects to the host using the protocol. If the protocol is HTTPS, the received certificate data from the external host is signed by the certificate in the decryption profile and sent to the client. The root certificate must be installed on the client app instances to avoid a certificate error.
-
For a given destination port, there can be only one decryption profile (root CA certificate) association in a policy rule set across all service objects.
-
During a forward proxy session, Multicloud Defense Gateway performs a DNS lookup on the destination with DNS request timeout of 30 seconds and cache age-out of TTL seconds.
|
|