LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's a classic Proxy / ALG product example (Blue Coat ProxySG), and how do its rules differ from network-level firewalls?

Blue Coat ProxySG (now Symantec Secure Web Gateway) is a classic enterprise web proxy. Its rules combine network parameters with user identity and client-software identity — letting you write "user @bob can browse YouTube only after 5 PM."

What a typical Blue Coat config screen shows:

  • Proxy Services (DNS, HTTP, HTTPS, FTP) — each marked Bypass or Intercept.
  • Visual Policy Manager — rules with Source = user/group, Destination = URL/category, Action = Allow/Deny.

The unique columns of an ALG ruleset:

Column Network FW Web Proxy / ALG
Source IP / subnet IP, user/group (LDAP/AD), client software, geolocation
Destination IP / subnet IP, URL, URL category, MIME type
Service port/proto application (HTTP, HTTPS, FTP), specific HTTP method
Action allow / deny allow / deny / redirect / modify content / inspect TLS

As Blue Coat's documentation puts it: "Proxies können neben den 'klassischen' Parametern auch User oder Clientsoftware im Ruleset integriert".

User-aware policies — the killer feature:

A network firewall sees IP 10.0.0.55. A proxy can resolve that to "user bwuermli, member of group 'students', logged in via Active Directory at 09:14." Now you can write rules like:

Source Destination Action
group:Engineers github.com Allow
group:Marketing github.com Block (no business need)
group:Interns streaming.* Block during business hours

This is identity-aware filtering — far more nuanced than IP-based.

Why "Bypass" vs "Intercept":

Mode Behavior
Bypass Traffic passes through without proxy inspection (fastest)
Intercept Proxy terminates and inspects (full ALG behavior)

Some traffic (DNS, latency-sensitive flows) is set to bypass; web traffic (HTTP/HTTPS) is intercepted.

The "internal HTTP" trap:

Some configurations bypass HTTPS but intercept HTTP. Attackers can exploit this by hosting attacks on plain HTTP that's bypassed because it's "low-risk." Always intercept both, or block bypass for unknown destinations.

Tip: TLS interception (MITM) by enterprise proxies is technically a "controlled MITM" — the corporation installs its own root CA on every employee's device, and the proxy issues replacement certificates on the fly. This works fine for company-owned devices but breaks badly for BYOD or external services with cert pinning.

Go deeper:

  • doc Proxy server (Wikipedia) — forward/transparent/intercepting web proxies and TLS interception, generalizing the example.

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026