Overview: Forward Proxy vs. Reverse Proxy
We've talked about reverse proxy servers and how they can really be good at protecting the servers in your internal network. Lately, however, we've realized that some people actually think we're talking about forward proxy servers or that the two are the same, but they're not. This post will explain the differences between forward proxy and reverse proxy use cases.
The main purpose of a proxy service (which is the kind of service both of these provide) is to act on behalf of another machine. In our case, the purpose of forward and reverse proxies is to act on behalf of another machine — either a client, web server or other backend server, etc. In this case, the proxy acts as a middleman.
The Forward Proxy
When people talk about a proxy server (often called a "proxy"), more often than not they are referring to a forward proxy. Let me explain what this particular server does.
A forward proxy provides proxy services to a client or a group of clients. Often, these clients belong to a common internal network like the one shown below.
When one of these clients makes a connection attempt to that file transfer server on the Internet, its requests have to pass through the forward proxy first.
Depending on the forward proxy's settings, a request can be allowed or denied. If allowed, then the request is forwarded to the firewall and then to the file transfer server. From the point of view of the file transfer server, it is the proxy server that issued the request, not the client. So when the server responds, it addresses its response to the proxy.
But then when the forward proxy receives the response, it recognizes it as a response to the request that went through earlier. And so it then sends that response to the client that made the request.
Because proxy servers can keep track of requests, responses, their sources and their destinations, different clients can send out various requests to different servers through the forward proxy and the proxy will intermediate for all of them. Again, some requests will be allowed, while some will be denied.
As you can see, the proxy can serve as a single point of access and control, making it easier for you to enforce authentication, SSL encryption or other security policies. A forward proxy is typically used in tandem with a firewall to enhance an internal network's security by controlling traffic originating from clients in the internal network that are directed at hosts on the Internet. Thus, from a security standpoint, a forward proxy is primarily aimed at enforcing security on client computers in your private network.
But then client computers aren't always the only ones you find in your internal network. Sometimes, you also have servers. And when those servers have to provide services to external clients (for example, field staff who need to access files from your FTP server), a more appropriate solution would be a reverse proxy.
The Reverse Proxy
What is a reverse proxy? As its name implies, a reverse proxy does the exact opposite of what a forward proxy does. While a forward proxy proxies on behalf of clients (or requesting hosts), a reverse proxy proxies on behalf of servers. A reverse proxy accepts requests from external clients on behalf of servers stationed behind it as shown below.
In our example, it is the reverse proxy that is providing file transfer services. The client is oblivious to the file transfer servers behind the proxy, which are actually providing those services. In effect, where a forward proxy hides the identities of clients, a reverse proxy hides the identities of servers.
An Internet-based attacker would find it considerably more difficult to acquire data found in those file transfer servers than if he didn't have to deal with a reverse proxy. This is why reverse proxy servers like JSCAPE MFT Gateway are very suitable for complying with data-impacting regulations like PCI-DSS.
Just like forward proxy servers, reverse proxies also provide a single point of access and control. You typically set it up to work alongside one or two firewalls to control traffic and requests directed to your internal servers.
In most cases, reverse proxy servers also act as load balancers for the servers behind them. Load balancers play a crucial role in providing high availability to network services that receive large volumes of requests. When a reverse proxy performs load balancing, it distributes incoming requests to a cluster of servers, all providing the same kind of service. So, for instance, a reverse proxy load balancing FTP services will have a cluster of FTP servers behind it, and will manage server load to prevent bottlenecks and delays.
Both types of proxy servers relay requests and responses between clients and destination machines. But in the case of reverse proxy servers, client requests that go through them normally originate over TCP/IP connections, while, in the case of forward proxies, client requests normally come from the internal network behind them.
In this post, we talked about the main differences between forward proxy servers and reverse proxy servers. If you want to protect clients in your internal network, put them behind a forward proxy. On the other hand, if your intention is to protect servers, put them behind a reverse proxy.
Managed file transfer solutions such as JSCAPE make it easy to set up proxy servers including in your DMZ. Plus, JSCAPE can handle any protocol as well as multiple protocols from a single server. This helps simplify your file transfer environment by enabling you to consolidate and manage all file transfers and trading partners from a single location.
JSCAPE provides additional layers of security, too, including blocking IP addresses while preserving proxy servers, to help prevent brute force and DDOS attacks for CDN or origin servers.
Access your MFT clients from any web browser or use the JSCAPE mobile app to run and monitor transfers at any time. JSCAPE also provides broad functionality to help simplify and optimize your file transfer environment, including data loss protection, caching for HTTP/S content and the ability to connect to virtually any web server with JSCAPE's REST API.