Bridge (Transparent) Mode vs. Proxy Mode

Note: available Webinars for this Topic include:

iPrism Technical Support Installation and Deployment Webinars (see Bridge/Proxy Webinar)

This article is meant to contrast Bridge mode (aka "Transparent") and Proxy mode operation. These two modes of operation differ in the following  areas:

  1. Physical Installation of iPrism

  2. Packet Handling

Physical Installation

A key decision when installing iPrism is whether you wish to use Bridge-Mode or Proxy-Mode (illustrated below). Bridge-Mode uses two NIC connections, and is said to be an "in-line" installation. Proxy-Mode uses 1 NIC connection. See iPrism Appliance Specifications, and use "Panel" links to examine connectors.

Packet Traffic - Transparent vs. Proxy

A key concept in understanding iPrism is that "Proxy" packet traffic is generated by reconfiguring client browsers to point at the iPrism, which sets an iPrism Destination-IP address, an iPrism Port number (3128 by default), and a reference to "Proxy" protocol in the packet.  

In contrast to the above, "Transparent"packet traffic has a Web-Server Destination-IP address, a Web Port number (80 for example), and a reference to a "web" protocol (like HTTP) in the packet.

Knowing the above, it is easy to understand how single-interface Proxy-Mode supports "Proxy" packet traffic (i.e., explicitly redirected to iPrism) ...  and how dual-interface Bridge-Mode quite naturally supports "Transparent" packet traffic due to in-line installation.  Note however, that if you wanted to, you could set all users to explicitly proxy to an iPrism installed in Bridge-Mode, and it would work!  Of course, you would not be taking advantage of various Bridge-Mode advantages, or avoiding client configuration. A more realistic example of sending Proxy packet traffic to a Bridge-Mode iPrism is when you need to support Terminal Server users.  In conclusion, Bridge-Mode typically implies handling Transparent packet traffic, but may also handle Proxy packet traffic when needed. Because a Proxy-Mode installation uses a single-interface and is not "in-line", iPrism will only handle Proxy packet traffic explicitly directed to it. One final note; below is a link to an article on "Transparent Proxy Mode" which simply means directing traffic to a single-interface iPrism (a.k.a. Proxy-Mode) without configuring clients. This is typically done with a Layer-3 switch or a router, perhaps by implementing WCCP. "Transparent" in this case means two things, 1) packet redirection without client-side configuration, and 2) Transparent packet traffic since the original internet-destined packet is what iPrism see's. In summary:

Bridge-Mode (2 Network Connections)

All network traffic destined for the internet (email and web, for example) flows through the iPrism. iPrism filters Web and IM/P2P traffic only. It is best to position iPrism between the outbound internet connection and an internal switch to limit traffic handling to outbound internet traffic.

Proxy-Mode (1 Network Connection)

Web and IM network traffic explicitly directed to the iPrism is filtered.

Feature Comparison:

Bridge (Transparent) Mode

 

Proxy Mode

Bypass Mode Support

No Bypass Mode Support

Possible Static Route Configuration

Kernel Layer Filtering

No Static Route Configuration

Application Layer Filtering

IM/P2P Filtering in Bridge Mode

IM Filtering only in Proxy Mode

No client configuration

Client configuration or
Transparent Proxy or
WCCP Router

Sees all Protocol traffic,
filters HTTP/HTTPS & IM/P2P

Sees and filters
HTTP/HTTPS & IM Only

HTTPs Handling

HTTPs Handling

Anti-Host-to-IP-Spoofing Support

Anti-Host-to-IP-Spoofing Support

NAT Support - if Enabled

NAT Support - by Default

Client DNS Lookups

Mixed-Mode Support

Citrix/Termserver - by IP

Session Terminations - Timeouts

Parent Proxy Support
with Client Considerations

How do I Enable Bridge Mode?

iPrism DNS Lookups

No Mixed-Mode Support

Citrix/Termserver Support - by User

Session Terminations - Close Browser

Parent Proxy Support

 

How do I Enable Proxy Mode?

Conclusions

 

There are a variety of factors in selecting Bridge vs. Proxy vs. Transparent Proxy.  In general, Bridge mode is recommended for most users. Bridge (Transparent) mode may be preferable when you do not want to configure clients, want Kernel Layer Filtering, and may benefit from a "mixed-mode" envrionment (See "Mixed-Mode Support" above).  The one caveat is that you should make the effort to optimize the "in-line" placement of iPrism.

Proxy mode may be preferable when just getting started for testing and evaluation purposes (easy setup). Proxy mode may also be preferable when iPrism is installed "inside" a busy network with lots of different kinds of traffic. Proxy mode allows iPrism to ignore irrelevant traffic, possibly producing better overall results in this specific instance than Bridge (Transparent) mode.  Transparent Proxy Mode avoids client configuration.