Firewalls and Proxies – Technical Architect Series


What is a Firewall?
In simple words, a firewall is something (software or hardware) which protects your resources from external world (internet).

Why Firewall?
Ask yourself these questions:
Do you leave your bank lockers unlocked?
Do you leave your car unlocked in the parking lot?
If your answer is in negative (unless you are adventurous) then, why would you want to expose your servers to the internet?
You would want to put some security to protect your server’s resources from public/internet. And at times you may want to restrict your employees from accessing certain websites. You can do that by using a Firewall.

How does a Firewall work?
Firewall works, based on pre-defined set of rules, typically done by Network Admins. These rules are instructions given to a Firewall. Based on these instructions Firewall will allow or deny access to resources.

Are TAs expected to setup a firewall?
Nope, they are not. 9 out of 10 times your customer’s Network Admins would already set this up for you. But as a TA, you are expected to understand how Firewall works. TAs are expected to co-ordinate with Network Admins to setup the Firewall rules to gain access to resources on the servers.

Why will a TA even bother about Firewall, if it’s already setup by customer’s network admins?
Well, many a times when you try to connect to an external client system from salesforce. You may hit client’s network firewall. The firewall may not allow a callout/request from Salesforce to reach client’s system. It’s because firewall doesn’t recognizes the request as a valid one. Hence you will have to instruct firewall to allow requests coming from salesforce. Meaning a new rule should be added to firewall’s rule set, where your client’s team may ask you to provide IP ranges of Salesforce’s data centers.

What is a Proxy?
In simple words, a proxy is like a middleman between two parties (systems). A proxy could be software application or a hardware device or a mix of both.

For example, if you are unable to access internet from your browser. You will go to internet options and try to check your network settings and see if your proxy setting is set properly. If you correct your proxy setting then your internet starts working. Which means if you typed in the address bar and hit enter key, your request will first go to your proxy (its like you are asking your proxy to get you, proxy will forward your request, get the response and send it back to your browser.

What is a Forward Proxy?
A forward proxy controls and monitors traffic from an application behind a firewall.

What is a Reverse Proxy?
A reverse proxy controls and monitors traffic from the internet that requires access to a server inside the customer’s firewall (a typical use case when working with and external systems)

What are some of the Reverse Proxy use cases, from a implementation standpoint?
Your client might open up following services to via a Reverse Proxy.

  • Delegated Authentication Endpoint
  • Web services (REST or SOAP)
  • Outbound Message Endpoint
  • Email Relay

So whenever you try to hit any of the above services, your request will first land on the client’s Reverse Proxy server. And it is Reverse Proxy server’s responsibility to forward your request to appropriate services.

Here are some of the famous technologies used by enterprises. There are many more such technologies available in the market.

  • IBM DataPower
  • Layer 7 Secure Span Gateway
  • Apache Http Server – moc_proxy

What is a Proxy rule?
Proxy servers allow the admins to define a set of rules. These rules can include following (but not limited to)

  • Authentication
  • Control time of access
  • URL Filtering
    for example may be allowed but may be blocked.
  • etc….

Hope that’s helpful.

Watch out for more blog post on this TA series.