Reverse and Forward Proxy - How it Works


GoAnywhere Gateway can serve as both a reverse and forward proxy. Typically GoAnywhere Gateway is installed in the demilitarized zone (DMZ) and GoAnywhere MFT is installed in the private/internal network.

At startup, GoAnywhere MFT creates an outbound connection to GoAnywhere Gateway, which is used as a "control channel" for passing commands and messages between the products. This control channel will initially provide the proxy details (IP and port mappings) to GoAnywhere Gateway, at which point it will start up "listeners" on the designated IPs and ports for incoming traffic.

Reverse Proxy

A reverse proxy is an intermediate connection point that serves as a gateway between users and your origin server. This type of proxy server retrieves files or other resources on behalf of a client. In the case of GoAnywhere Gateway’s reverse proxy, when an external client (trading partner) connects to a listener on GoAnywhere Gateway in the DMZ, GoAnywhere Gateway will make a request over the control channel to GoAnywhere MFT in the private/internal network. GoAnywhere MFT will then create a new outbound data channel to GoAnywhere Gateway. This data channel will be attached to the desired service (e.g. FTP, FTPS, SFTP, HTTP/s) and all traffic for that session will be routed over this new data channel including client authentication requests, data and commands. When the session is terminated, the corresponding data channel will be removed.

GoAnywhere Gateway Diagram

Forward Proxy

Similar to a reverse proxy, a forward proxy also serves as an intermediary between clients and servers; however, forward proxies filter connections going out (where reverse proxies filter connections coming in) from the internet to your servers.

The Forward Proxy in GoAnywhere Gateway allows you to route client requests from GoAnywhere MFT (in the private/internal network) to external FTP, FTPS, SFTP and SCP servers without revealing the identity or locations of your internal systems. The Forward Proxy is additionally used by GoAnywhere MFT to route active and passive FTP and FTPS data connections through GoAnywhere Gateway.

When a process in GoAnywhere MFT needs to make an outbound connection through the proxy, a request is made to GoAnywhere Gateway with the address of the intended destination. GoAnywhere Gateway will then establish the connection to that destination and will bridge it to the requesting system.

GoAnywhere MFT has provided many solutions to many problems we had. It resolved our secure mail issue, gave us more data delivery methods that are also more secure, and GoAnywhere Gateway has also given us peace of mind by taking our customer data back into our private network where it is more secured.

Harrison Palmer, Tech Support, New England Document Systems

Request a quote for our GoAnywhere Gateway solution.