"I don't think we can use your load balancer, because it's not a reverse proxy..." said the slightly confused reseller.

Which got me thinking, maybe I should write a blog about the difference between a Reverse Proxy Server and a Forward Proxy Server?

For that matter - what is a Reverse Proxy Server?

Wikipedia describes a Reverse Proxy Server as:

"In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client like they originated from the proxy server itself.[1] ... a reverse proxy is an intermediary for its associated servers to be contacted by any client."

But I think I have a far simpler description: Reverse Proxy Server = Load Balancer

It kind of shows the irony in the resellers comments about our load balancer not being a reverse proxy doesn't it?

So what is a Forward Proxy Server then?

Wikipedia describes a Forward Proxy Server as:

"In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.[1] A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity."

But again I think I have a far simpler description: Forward Proxy Server = Web Filter

Quite often you will use a load balancer in front of a bunch of web filters and we specialise in these kind of large scale deployments for all the big web filter vendors.

When is a load balancer not a Reverse Proxy?

Technically, the only mode on a load balancer that is a real Reverse Proxy is Layer 7 mode. Whereas all Layer 4 load balancing modes such as NAT, DR and TUN are nothing like a reverse proxy. The clients are effectively talking directly (transparently) to the backend servers.

Is a Reverse Proxy more secure than a layer 4 load balancer?

The short answer is NO!

A Reverse Proxy is still sending all of your requests to the real servers so any application security issues are still easily exploitable.

This is one of the many reasons why Microsoft dropped TMG, because it was effectively a pointless solution.
The one semi-useful feature on TMG to most IT Managers was the ability to allow single user sign on for multiple applications, but Microsoft rightly decided that actually, SSO in itself is a serious security risk (single bastion host on the edge of the network with access to all of the passwords on the network anyone?).

But back to the thing I really hated about TMG - Forcing you to use a DMZ! Arrrggghhhh!!!!!!

Look in an enterprise network, a DMZ is a potentially sensible thing to use, possibly even essential. Sean Wilkins wrote a good description of DMZs here

BUT with TMG you are forced to put yet another DMZ inside your original DMZ for no reason!

The 'too many DMZs problem' happens a lot with load balancer installations as well, every single server cluster ends up in its own DMZ - because someone thought it was a good idea...
Some people even think that the load balancer won't work unless it is the default gateway for your servers with at least two subnets....

So what happens when someone moves a perfectly good application cluster, from its perfectly good and well designed DMZ behind a load balancer?

Everyone loses access to the new and unnecessary DMZ..
and who are they going to blame?
Yes, that's right the load balancer vendor :-).

Please, please, please for the sanity of your engineers consider the idea of putting your load balancers in one-arm mode and NOT a two-arm DMZ.

DMZ-comic-final

The cartoon above illustrates the classic example of what engineers do when faced by a DMZ access problem - run a cable to the other side. I've seen this happen a thousand times.

Feel free to leave me a comment and tell me I'm talking rubbish (as usual). Thanks.

Want to quickly see how simple it is to set up a new load balanced cluster?