Forward Proxy Service Object (Egress / East-West)

Forward Proxy services are specifically used for HTTP based traffic. The object defines a listener port that the Multicloud Defense Gateway listens for the traffic it receives and forwards to the address/host that's available in the TLS SNI extension header or HTTP Host Header.

Note

We recommend using this for egress/East-West traffic.

If the connection type is set to Forward Proxy, the traffic flow is proxied through the gateway at various layers depending on the proxy type. The session from the client is terminated on the gateway instance and a new session is established from the gateway instance to the destination. The gateway instance behaves as a mediator in the middle. The gateway instance listens for the HTTP host header or the TLS hello packet. Once it receives the packet, it extracts the domain and connects to the host using the specified protocol and destination port. For encrypted traffic, a self-signed certificate is required to decrypt, inspect and re-encrypt traffic.

Operating in forward-proxy mode at the TLS layer requires a gateway instance to present a self-signed certificate to the client initiating the connection request. Self-signed certificate body is imported into the Multicloud Defense Controller. The associated private key can be imported to the Multicloud Defense Controller in the following ways:

  • Import the private key.

  • Store in AWS Secrets Manager and provide the secret name.

  • Store in AWS KMS and provide the cipher text contents.

  • Store in GCP Secrets Manager and provide the secret name.

  • Store in Azure KeyVault and Secret and provide the keyvault and secret name.

Use the following procedure to create and add a forward proxy service.

Procedure

Step 1

In the Security Cloud Control platform menu, choose Products > Multicloud Defense .

Step 2

Navigate to Policies > Security Policies > Services.

Step 3

Click Create.

Step 4

Click Forward Proxy.

Step 5

Provide a name and description.

Step 6

Optionally, select the Application IDs to match.

Step 7

Configure proxy parameters as defined below.

Option

Description

Decryption Profile

Assign a decryption profile, which includes the certificate to be used. Multicloud Defense impersonates the external certificate by signing it with the certificate provided in this profile. The root certificate is assumed to be installed on all the client application instances.

Dst Port

Assign a destination port. For most web-based services, the destination port will be 443.

Protocol

HTTP or HTTPS.
Note

  • Multicloud Defense listens on the Dst Port and waits for the HTTP Host header or TLS SNI Header packet. Once Multicloud Defense receives this packet, it connects to the host using the protocol. If the protocol is HTTPS, the received certificate data from the external host is signed by the certificate in the decryption profile and sent to the client. The root certificate must be installed on the client app instances to avoid a certificate error.

  • For a given destination port, there can be only one decryption profile (root CA certificate) association in a policy rule set across all service objects.

  • During a forward proxy session, Multicloud Defense Gateway performs a DNS lookup on the destination with DNS request timeout of 30 seconds and cache age-out of TTL seconds.