Bridge (Transparent) Mode vs. Proxy Mode

iPrism 4.x

June 27, 2007

IP0149.htm

Note: available Webinars for this Topic include:

This article is meant to contrast Bridge mode (aka "Transparent") and Proxy mode operation. These two modes of operation differ in the following areas:

Physical Installation of iPrism

Packet Handling

Physical Installation

A key decision when installing iPrism is whether you wish to use Bridge-Mode or Proxy-Mode (illustrated below). Bridge-Mode uses two NIC connections, and is said to be an "in-line" installation. Proxy-Mode uses 1 NIC connection. See iPrism Appliance Specifications, and use "Panel" links to examine connectors. Note: Routing Mode is no longer supported as of iPrism v4.1. You must re-configure for Bridge or Proxy Mode.

Packet Traffic - Transparent vs. Proxy

A key concept in understanding iPrism is that "Proxy" packet traffic is generated by reconfiguring client browsers to point at the iPrism, which sets an iPrism Destination-IP address, an iPrism Port number (3128 by default), and a reference to "Proxy" protocol in the packet.

In contrast to the above, "Transparent"packet traffic has a Web-Server Destination-IP address, a Web Port number (80 for example), and a reference to a "web" protocol (like HTTP) in the packet.

Knowing the above, it is easy to understand how single-interface Proxy-Mode supports "Proxy" packet traffic (i.e., explicitly redirected to iPrism) ... and how dual-interface Bridge-Mode quite naturally supports "Transparent" packet traffic due to in-line installation. Note however, that if you wanted to, you could set all users to explicitly proxy to an iPrism installed in Bridge-Mode, and it would work! Of course, you would not be taking advantage of various Bridge-Mode advantages, or avoiding client configuration. A more realistic example of sending Proxy packet traffic to a Bridge-Mode iPrism is when you need to support Terminal Server users. In conclusion, Bridge-Mode typically implies handling Transparent packet traffic, but may also handle Proxy packet traffic when needed. Because a Proxy-Mode installation uses a single-interface and is not "in-line", iPrism will only handle Proxy packet traffic explicitly directed to it. One final note; below is a link to an article on "Transparent Proxy Mode" which simply means directing traffic to a single-interface iPrism (a.k.a. Proxy-Mode) without configuring clients. This is typically done with a Layer-3 switch or a router, perhaps by implementing WCCP. "Transparent" in this case means two things, 1) packet redirection without client-side configuration, and 2) Transparent packet traffic since the original internet-destined packet is what iPrism see's. In summary:

Bridge-Mode (transparent (web) and proxy (iPrism) packet traffic, dual NICs)
Proxy-Mode (proxy (iPrism) packet traffic only, single NIC)
Transparent Proxy-Mode (transparent (web) packet traffic, switch or WCCP router, single NIC)

Bridge-Mode (2 Network Connections)

All network traffic destined for the internet (email and web, for example) flows through the iPrism. iPrism filters Web and IM/P2P traffic only. It is best to position iPrism between the outbound internet connection and an internal switch to limit traffic handling to outbound internet traffic.

Proxy-Mode (1 Network Connection)

Web and IM network traffic explicitly directed to the iPrism is filtered.

Feature Comparison:

Bridge (Transparent) Mode

Proxy Mode

Bypass Mode Support

No Bypass Mode Support

Possible Static Route Configuration

Kernel Layer Filtering

No Static Route Configuration

Application Layer Filtering

IM/P2P Filtering in Bridge Mode

IM Filtering only in Proxy Mode

No client configuration

Client configuration or
Transparent Proxy or
WCCP Router

Sees all Protocol traffic,
filters HTTP/HTTPS & IM/P2P

Sees and filters
HTTP/HTTPS & IM Only

HTTPs Handling

Anti-Host-to-IP-Spoofing Support

NAT Support - if Enabled

NAT Support - by Default

Client DNS Lookups

Mixed-Mode Support

Citrix/Termserver - by IP

Session Terminations - Timeouts

Parent Proxy Support
with Client Considerations

How do I Enable Bridge Mode?

iPrism DNS Lookups

No Mixed-Mode Support

Citrix/Termserver Support - by User

Session Terminations - Close Browser

Parent Proxy Support

How do I Enable Proxy Mode?

Conclusions

There are a variety of factors in selecting Bridge vs. Proxy vs. Transparent Proxy. In general, Bridge mode is recommended for most users. Bridge (Transparent) mode may be preferable when you do not want to configure clients, want Kernel Layer Filtering, and may benefit from a "mixed-mode" envrionment (See "Mixed-Mode Support" above). The one caveat is that you should make the effort to optimize the "in-line" placement of iPrism.

Proxy mode may be preferable when just getting started for testing and evaluation purposes (easy setup). Proxy mode may also be preferable when iPrism is installed "inside" a busy network with lots of different kinds of traffic. Proxy mode allows iPrism to ignore irrelevant traffic, possibly producing better overall results in this specific instance than Bridge (Transparent) mode. Transparent Proxy Mode avoids client configuration.

Bridge-Mode (2 Network Connections) All network traffic destined for the internet (email and web, for example) flows through the iPrism. iPrism filters Web and IM/P2P traffic only. It is best to position iPrism between the outbound internet connection and an internal switch to limit traffic handling to outbound internet traffic.	Proxy-Mode (1 Network Connection) Web and IM network traffic explicitly directed to the iPrism is filtered.

Feature Comparison: Bridge (Transparent) Mode	Proxy Mode
Bypass Mode Support	No Bypass Mode Support
Possible Static Route Configuration Kernel Layer Filtering	No Static Route Configuration Application Layer Filtering
IM/P2P Filtering in Bridge Mode	IM Filtering only in Proxy Mode
No client configuration	Client configuration or Transparent Proxy or WCCP Router
Sees all Protocol traffic, filters HTTP/HTTPS & IM/P2P	Sees and filters HTTP/HTTPS & IM Only
HTTPs Handling	HTTPs Handling
Anti-Host-to-IP-Spoofing Support	Anti-Host-to-IP-Spoofing Support
NAT Support - if Enabled	NAT Support - by Default
Client DNS Lookups Mixed-Mode Support Citrix/Termserver - by IP Session Terminations - Timeouts Parent Proxy Support with Client Considerations How do I Enable Bridge Mode?	iPrism DNS Lookups No Mixed-Mode Support Citrix/Termserver Support - by User Session Terminations - Close Browser Parent Proxy Support How do I Enable Proxy Mode?
Conclusions
There are a variety of factors in selecting Bridge vs. Proxy vs. Transparent Proxy. In general, Bridge mode is recommended for most users. Bridge (Transparent) mode may be preferable when you do not want to configure clients, want Kernel Layer Filtering, and may benefit from a "mixed-mode" envrionment (See "Mixed-Mode Support" above). The one caveat is that you should make the effort to optimize the "in-line" placement of iPrism.	Proxy mode may be preferable when just getting started for testing and evaluation purposes (easy setup). Proxy mode may also be preferable when iPrism is installed "inside" a busy network with lots of different kinds of traffic. Proxy mode allows iPrism to ignore irrelevant traffic, possibly producing better overall results in this specific instance than Bridge (Transparent) mode. Transparent Proxy Mode avoids client configuration.


IP0149.htm	Copyright® 2001-2007 St. Bernard Software.	All rights reserved.