Proxy Mode is relatively simple to
configure and scales well, but has one caveat, namely, it prevents client IP
recording by real-server access logs. The reason this occurs is because of
the path the traffic flows in a Proxy Mode configuration, and because of the
unique role the SSL-x plays in this design.
Proxy Mode Configuration
Unlike the other methods of deployment,
when used in Proxy Mode the SSL-x does not act transparently. Instead, it
acts—as the name implies—as a proxy between the requesting client and the
back-end real-server. Because of this behavior, the real-server sees the
access as coming from the IP address of the SSL-x, rather than from the
originating client. While this effect is acceptable in many installations,
there will be instances where client IP accounting accuracy will be
required. In such cases, an alternate design method is encouraged.
Proxy Mode is one of two modes that
employs SonicWALL's One-Armed SSL Offloading. This design difference,
combined with proxy rather than transparent operation, results in a flow of
traffic that is notably different from the others. Because only a single
port will be used on the SSL-x, the introduction of bridge loops by the
SSL-x will not be a concern. Additionally, because the redirection method
will be non-transparent, Equal Cost routing will not be employed when
supporting multiple SSL devices, and separate VLANs for each attached SSL-x
device will not be required.
