This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reverse Proxy function from the "Agentless" Policy isn't available for the "Agent" policy.

Hello!

If you create an "Agentless" policy and use It on a Web-based resource, the ZTNA Gateway will act as a reverse proxy and use the imported certificate for automatic HTTPS over TCP/443. But this feature isn't available through the "Agent" policy.

As an example, if you have a certain Web service running over TCP/8080:

  • The "Agent" method will only allow the browser to connect if the user uses the TCP/8080 port directly.
  • The "Agentless" method will act as a reverse proxy and the experience will be transparent for the end user. (The user will access the resource by just using the FQDN, without any need to directly connect over a different port.)

It's understandable why the "Agentless" only allows HTTP/S traffic and does the proxing, but why the "Agent" policy isn't allowed to do the same?

This would be a good feature addition, since the users (such as me) doesn't have to run another reverse proxy just for the "Agent" clients.

Thanks!



This thread was automatically locked due to age.
  • Hello,

    Thanks for your feedback. Yes, currently this would not be possible in the agent based approach as there is a tunnel established and no reverse proxying is involved. Could you let me know what use cases are you targeting in an agent based approach for us to understand the problem better? 

  • Could you let me know what use cases are you targeting in an agent based approach for us to understand the problem better? 

    I can't give you good (or serious) examples for use cases since I'm using ZTNA at home, but as explained above, having the reverse proxy function available for the Agent policies would help with the end-user experience.

    As for now, if you don't have a reverse proxy already in-use, the end-user would need to input the TCP port which the Web service is running (Only if It isn't running at the standard 80/443).

    Even then, there are some web resources which doesn't have a TLS function for HTTPS encryption and when It's available most of the time It will come with a self-signed certificate - by having the reverse proxy function embedded at the ZTNA gateway It would remove the need for another reverse proxy to be placed, or the need to supply all those web resources a certificate individually.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Got it. Thanks for the additional info. I will add that to our backlog.