Introduction
This document describes the difference between the transparent and proxy mode on the Cisco Web Security Appliance (WSA).
What is the difference between transparent and forward proxy mode?
The goal of a proxy is to be the middle man (proxy) between HTTP clients and HTTP servers. This specifically means that the Web Security Appliance (WSA), as a web proxy, has two sets of TCP sockets per client request:
Client > WSA
WSA > Origin server
How the WSA HTTP proxy obtains the client's request can be defined as one of two ways: Transparently or Explicitly.
Each of these deployments have several specific configuration options:
| Deployment |
Method |
Description |
| Transparent |
Layer 4 Switch (PBR) |
A Layer 4 switch is used to redirect based on destination port 80 |
| Transparent |
WCCP |
A WCCP v2 enabled device (typically a router, switch, PIX, or ASA) redirects port 80 |
| Transparent |
Bridged mode |
Dual NICs, virtually paired. Traffic goes in one NIC and out the other (not available) |
| Explicit |
Browser Configured |
Client browser is explicitly configured to use a proxy |
| Explicit |
.PAC file configured |
Client browser is explicitly configured to us a .PAC file, which in turn, references the proxy |
The WSA can use all of these deployments except for bridged mode. This is expected to be available in the near future.
When requests are redirected to the WSA transparently, the WSA must pretend to be the OCS (origin content server), since the client is unaware of the existence of a proxy. On the contrary, if a request is explicitly sent to the WSA, the WSA responds with its own IP information.
There are a few differences between explicit and transparent client HTTP requests:
- An explicit request has a destination IP address of the configured proxy. A transparent request has a destination IP address of the intended web server (DNS resolved by the client).
- The URI for a transparent request does not contain the protocol with the host:
Both contain an HTTP Host header that specifies the DNS host.
WSA Configuration
The WSA can be configured for "transparent" or "forward". This is slightly deceptive, as this is really "transparent" or "explicit" mode, both of which are forward proxy deployments. Reverse proxy is where the proxy is intended to be on the same network as the HTTP servers and its purpose is to serve up content for these HTTP servers.
The only major difference between transparent and forward mode on the WSA is that in transparent mode, the WSA responds to both transparent and explicit HTTP requests. Whereas in explicit, the WSA ONLY responds to explicit HTTP requests.
The WSA always sends its upstream request as a transparent style request, since the WSA acts as its own client, UNLESS the WSA is configured to specifically use an explicit upstream proxy.
Here is another difference between transparent and explicit authentication:
| Transparent |
401 - is sent from the WSA when authentication is required. This is also what the OCS would send. |
| Explicit |
407 - is sent from the WSA to tell the client that an HTTP proxy requires authentication. |
Feedback