What is a reverse proxy server?

A reverse proxy server is a security device that is usually deployed in a network DMZ to protect HTTP servers (or IBM® Sametime® servers) on a corporate intranet by performing security functions that protect the internal servers from attacks by users on the Internet.

The reverse proxy server protects internal HTTP servers by providing a single point of access to the internal network. Providing a single point of access to all HTTP servers on an internal network offers these specific security advantages and network access characteristics:

  • The administrator can use the authentication and access control features of the reverse proxy server to control who can access the internal servers and control which servers each individual user can access. When a reverse proxy is deployed, the authentication process and access rights to multiple internal servers can be controlled from a single computer, which simplifies the security configuration.
  • All traffic to your intranet servers appears to be destined for a single network address (the address of the reverse proxy server).

    When a reverse proxy server is deployed, only URLs that are associated with the reverse proxy server are made public to web browser users. Users from the Internet use these URLs to access the reverse proxy server. The reverse proxy server handles these requests from Internet users and redirects these requests to the appropriate internal HTTP server.

    The administrator performs URL mapping configurations on the reverse proxy server that make this redirection possible. When configuring the reverse proxy server, the administrator maps the URLs that are used to access the reverse proxy server to the real URLs of the internal HTTP servers. When an Internet user sends a URL to the reverse proxy server, the reverse proxy server examines the URL and uses these mapping configurations (or rules) to rewrite the URL.

    The reverse proxy server rewrites the URL by replacing the server address provided by the Internet user (a reverse proxy address) with the real address of the internal server. The HTTP request is then sent on the internal network from the reverse proxy server to the internal server.

  • All traffic sent to Internet users from your internal servers appears to originate from a single network address.

    When an internal HTTP server (or Sametime server) responds to a request from an Internet user, the internal server sends the response to the reverse proxy server and the reverse proxy server sends the response to the Internet user. The response sent on the Internet to the Internet user contains the address of the reverse proxy server, not the address of the internal HTTP server.