Filtering the web with the help of a proxy server is a common way of ensuring monitoring and control of the http(s) activity going on in your IT environment. There are two main ways of using proxy servers to filter the web traffic: explicitly and transparently.
Explicit web proxy
Explicit web proxy would require the IT admin to configure all clients, which need to be filtered, to use a certain server as a proxy server. This is done by configuring the internet options of all the clients in the network and keeping in mind the different operating systems and browsers being used across the IT environment. The WPAD protocol helps by automating delivery of proxy settings to network clients and the IT admins may use group policy to enforce those settings on client machines.
In order for the process to be sustainable long-term, the IT admin must also make sure that the client users do not change their internet options, or that there are no other paths to the internet, for http(s) traffic, except through the proxy server. If you live in a world where almost everybody has local admin rights on their workstations, this may prove a very difficult task, but in reality it would be best to first address the rights issue first.
While explicit web proxy is widely used for web filtering, and does a good job in well-controlled environments, maintaining such a process is a difficult and time consuming task for IT admins. In addition, there are some limitations, particularly driven by the need for configuring proxy settings on clients. Mobile support of devices connecting to the internet through corporate WiFi is limited, as IT admins would need to deliver proxy settings to the mobile devices themselves, for example. That would implies configuring employees’ personal mobile devices which, in most cases, is unacceptable or very cumbersome, and always difficult or impossible to automate, as a process.
Transparent web proxy
Transparent proxies work in a similar manner as the explicit proxies, except they do not need IT admins to configure each and every client to pass through a proxy server.
Such technology can be deployed on an internet gateway and all an IT admin needs to do is route web traffic through them. Transparent proxy functionality would be able to look at all network traffic, identify and extract the http(s) traffic and then act as a proxy without the client browser (or client application) being aware of the fact that the replies are being served back through a proxy server.
There are obvious benefits to such a setup, as all clients correctly routed to the internet will always be filtered and protected no matter what the end users do, or change, on their machines. This removes the need of IT departments to monitor the internet options on various client machines and in various web browser. But it also decreases the need to cater for helpdesk requests regarding lack of internet connectivity coming from misuse of, or missing proxy settings.
Another benefit for this setup is the fact that WiFi is protected and filtered out of the box, no matter what type of device it is coming through. The IT admin only needs to further route the WiFi routers through the gateway, without needing to touch the mobile devices in any way. This streamlines the experience of mobile users and gives IT admins peace of mind when it comes to making sure those users are also protected and filtered. This benefit is of particular importance in light of the current regulations stating that companies are liable for the internet activity which takes place through their infrastructure. Users need to make sure that the internet activity going on is not malicious, that users are protected from online threats and that certain social categories are not exposed to inappropriate content.
One limitation of the transparent proxy functionality is lack of authentication. Since the clients are unaware that their requests are handled by a proxy server, the browsers and web applications do not know that they need to authenticate, so they do not call the authentication routines. This means that vendors of transparent proxy technology need to provide support for web authentication in a different way.
What should you go for?
There are ups and downs with both types of web proxies and choosing one of them depends on the particularities of the IT environments such as requirements, processes and policies already in place.
But it is always better when there are options to choose from, so the new GFI WebMonitor 10 delivers, along with explicit proxy functionality, transparent proxy support. This includes integrated and basic authentication functionality enabling IT admins to take advantage of all the benefits of this technology without compromising on security features such as web authentication.
The new GFI WebMonitor is now available for download and you can try out a FREE, fully functional, 30-day trial that comes complete with GFI Tech Support.