Reverse proxy for internal requests ?

**dlaperle** · 05-10-2010

Using a reverse proxy within a DMZ to dispatch Internet requests to internal Web servers is a very well known best practice but what about using a similar setup for intranet requests ?

If a install a reverse proxy server for internal usage and define a new secure zone (between firewalls) where I place internal Web servers, I will be able to prevent direct access to internal servers and I also get the benefits of hiding ports, perform load-balancing, caching etc.

But I can't find any such advices on the Web, reverse proxy servers always show up in an Internet context. So is it streamline or an overkill architecture for internal requests ?

An alternative to the firewalls would be to configure each internal Web server, so they only accept requests coming from a reverse proxy but I still need the reverse proxy to get the other benefits. A VLAN might be a better choice in this situation...

I would like to hear your opinion about it.

**Makayla-alex** · 06-10-2010

I know about the using a reverse proxy to enable remote user access. A reverse proxy server is a computer running proxy server software such as Microsoft Internet Security and Acceleration (ISA) Server. The reverse proxy server is situated within the perimeter network (also identified as DMZ or demilitarized region), a network flanked by the internal corporate network and Internet. When an external user tries to attach to a virtual server for Communicator Web Access, Domain Name System (DNS) involuntarily routes the request to reverse proxy server. Then the reverse proxy server forwards the service request Communicator Web Access server. For end users this process is entirely transparent. For them, the reverse proxy server is the Communicator Web Access server.

Communicator Web Access is well-matched with mainly reverse proxies of the market. Therefore, in most cases you can use any software reverse proxy, with one exemption: If you chose to use the login authentication only, you must use Microsoft Internet Security and Acceleration (ISA) Server 2006 with the login (SSO) enabled on the web listener. Whatever the reverse proxy server you select, it is suggested that this server is a member of the working group and not a domain affiliate server internal confidence. This will get a supplementary level of security. If you conciliate the security reverse proxy server, attackers only have access to that server and not the internal network. For presentation motives, you should not install any other software on the reverse proxy server. However, the identical team that acts as a reverse proxy server for Communicator Web Access can also be used as a reverse proxy server for other applications (such as Outlook Web Access).

**dlaperle** · 06-10-2010

Alex, I'm familiar with the typical reverse proxy environment you described but I would like to know if it make sense to use a similar approach for intranet users accessing internal Web applications ?

If yes, which strategy would you implement to prevent internal users hitting intentionnally the various internal Web servers directly ? (vlan, workgroup, new security zone between firewalls...)

Thanks

**Saura** · 07-10-2010

I would like to suggest the vlan for you. Now in my existing environment I have two broadband connections each with dissimilar DMZ's on split vlans and two part networks on 2 more vlans. The aspire of this is to keep my servers and such out of the way of my cousin’s network so that he can have an straightforward to preserve merely router setup. For that, PFsense was appropriate which will also act as a firewall and port forwarder for the web server and the mail server. pfsense supports multi wan with sticky connections. In petite you give it a server outside on the net and it will ping it to work out the latency on equally connections then balance the users between the two. The sticky part means that it comprehends if there are authenticated sessions etc. on one of the connections and not to substitute a client over mid way through a session. So that might be added in at several point.

Hope you will get some help from my post.