To learn more, read the Zscaler Cloud Browser Isolation data sheet.
If you’re ready to get a closer look, you can sign up for a 30-day trial.
It’s easy to get these two types of proxy servers confused, so let’s break them down.
By sitting in front of a web server, a reverse proxy ensures no clients communicate directly with the server. A forward proxy (another CASB mode) sits in front of client endpoints to intercept incoming requests and ensure no servers communicate directly with a client. These may sound functionally similar, but forward proxies usually depend on a software agent installed on endpoints to forward traffic, while reverse proxies do not.
“Reverse proxy server” is essentially a more formal term for a reverse proxy. (The same is true of “forward proxy server” for a forward proxy.) Today, we tend to drop “server” because it calls to mind hardware—like a physical box—whereas the technology often takes the form of an application or cloud service.
Sitting in the flow of traffic, a reverse proxy integrates with an organization’s authentication service (e.g., single sign-on). Once services and apps are configured to transact with the reverse proxy, it can operate inline without an agent. This offers a straightforward user experience, with incoming traffic to managed cloud apps and the like redirected to the reverse proxy automatically.
Let’s look at this process a bit more closely.
A reverse proxy can protect sensitive data (e.g., PCI data, PII) by acting as a middleman or stand-in for the server on which that data resides. Client requests are routed first to the reverse proxy, then through a specified port in any applicable firewall, and then to the content server—and finally, back again. The client and the server never communicate directly, but the client interprets responses as if they had. Here are the basic steps:
The reverse proxy can also scrub server responses for information that could allow a hacker to redirect to protected internal resources or take advantage of other vulnerabilities.
Reverse proxying, as a CASB deployment mode, is core to the security service edge model alongside secure web gateway (SWG), zero trust network access (ZTNA), and other cloud-delivered security services.
Beyond SSE, common specific use cases for reverse proxies include:
Many of your employees may use multiple devices for work, including personal ones. Beyond that, plenty of suppliers, partners, and customers may need access to your internal applications on their own unmanaged devices, presenting a risk to your security.
You can install agents to manage devices your organization owns, but unmanaged endpoints are a different story. Third parties won’t let you install agents on their endpoints, and many employees don’t want agents on their personal devices, either. Instead, a reverse proxy offers agentless protection against data leakage and malware from any unmanaged device accessing your cloud applications and resources.
A reverse proxy can enforce data loss prevention policies to prevent accidental or intentional uploads or downloads of sensitive information to or from sanctioned cloud apps. Because it operates inline and inspects encrypted traffic (especially a cloud-based reverse proxy), it can ensure uploaded or downloaded data falls in line with your policies.
An infected file in a cloud service can spread to connected apps and devices—especially unmanaged devices. By agentlessly preventing uploads or downloads of infected files to or from cloud resources, a reverse proxy provides advanced threat protection against malware and ransomware.
By nature, reverse proxies also hide servers and their IP addresses from clients, which protects web resources from threats such as distributed denial of service (DDoS attacks).
Reverse proxies can be used to handle client requests that could otherwise overwhelm a single server with high demand, promoting high availability and better load times by taking pressure off the backend server. They mainly do this in two different ways:
With those use cases in mind, the advantages of using a reverse proxy fall into three main areas:
Reverse proxies offer notable security benefits when it comes to securing unmanaged devices and enterprise applications, but they bring notable shortcomings, too, such as:
Today, more organizations are turning to Cloud Browser Isolation to avoid the limitations and breakage risks of reverse proxies while still enabling secure use of unmanaged devices without endpoint agents.
When a user accesses a managed cloud application, Zscaler Cloud Browser Isolation virtualizes the session and renders content in an isolated environment in the cloud, sending the session to the user as a stream of pixels. The user experience is identical to the native experience of that cloud app, except that CBI prevents unmanaged devices from downloading, copying, pasting, or printing the sensitive data found in the app.
This makes CBI the ideal way to support flexibility and productivity for your extended user base while preventing accidental leakage, malicious exfiltration, and malware proliferation via unmanaged devices.
Zscaler Cloud Browser Isolation provides unmatched defense against web-based data leakage and threats, powered by the industry's most advanced zero trust web isolation.
An Unmatched User Experience
Get lightning-speed connections to apps and websites with our unique pixel-streaming technology and direct-to-cloud proxy architecture. Users receive a high-performance stream of pixels in their browser, offering security without cutting into productivity.
Consistent Protection for Users Anywhere
Protect any user, on any device, in any location with a zero trust isolation policy that spans headquarters, mobile or remote sites, and highly targeted functions and departments.
Less Management Hassle
Deploy and manage in seconds, leveraging Zscaler Client Connector or an agentless option to route traffic through the Zscaler Zero Trust Exchange™ with native Cloud Browser Isolation integration.
Universal Compatibility
Enjoy coverage for all major web browsers to suit user preferences. Cookie persistence for isolated sessions keeps users’ key settings, preferences, and sign-on information intact.
To learn more, read the Zscaler Cloud Browser Isolation data sheet.
If you’re ready to get a closer look, you can sign up for a 30-day trial.
What Is a Forward Proxy?
Learn moreWhat Is a Cloud Proxy?
Learn moreZscaler Cloud Browser Isolation
Read the data sheetWhat You Need to Know to Secure BYOD and Overcome Reverse Proxy Headaches
Read the blogWhy Next-Gen Firewalls Can Never Be Proxies: The Right Architecture Matters
Read the blogTop CASB Use Cases
Read the ebook