What's a classic Proxy / ALG product example (Blue Coat ProxySG), and how do its rules differ from network-level firewalls?
Blue Coat ProxySG (now Symantec Secure Web Gateway) is a classic enterprise web proxy. Its rules combine network parameters with user identity and client-software identity — letting you write "user @bob can browse YouTube only after 5 PM."
What a typical Blue Coat config screen shows:
- Proxy Services (DNS, HTTP, HTTPS, FTP) — each marked Bypass or Intercept.
- Visual Policy Manager — rules with Source = user/group, Destination = URL/category, Action = Allow/Deny.
The unique columns of an ALG ruleset:
| Column | Network FW | Web Proxy / ALG |
|---|---|---|
| Source | IP / subnet | IP, user/group (LDAP/AD), client software, geolocation |
| Destination | IP / subnet | IP, URL, URL category, MIME type |
| Service | port/proto | application (HTTP, HTTPS, FTP), specific HTTP method |
| Action | allow / deny | allow / deny / redirect / modify content / inspect TLS |
As Blue Coat's documentation puts it: "Proxies können neben den 'klassischen' Parametern auch User oder Clientsoftware im Ruleset integriert".
User-aware policies — the killer feature:
A network firewall sees IP 10.0.0.55. A proxy can resolve that to "user bwuermli, member of group 'students', logged in via Active Directory at 09:14." Now you can write rules like:
| Source | Destination | Action |
|---|---|---|
| group:Engineers | github.com | Allow |
| group:Marketing | github.com | Block (no business need) |
| group:Interns | streaming.* | Block during business hours |
This is identity-aware filtering — far more nuanced than IP-based.
Why "Bypass" vs "Intercept":
| Mode | Behavior |
|---|---|
| Bypass | Traffic passes through without proxy inspection (fastest) |
| Intercept | Proxy terminates and inspects (full ALG behavior) |
Some traffic (DNS, latency-sensitive flows) is set to bypass; web traffic (HTTP/HTTPS) is intercepted.
The "internal HTTP" trap:
Some configurations bypass HTTPS but intercept HTTP. Attackers can exploit this by hosting attacks on plain HTTP that's bypassed because it's "low-risk." Always intercept both, or block bypass for unknown destinations.
Tip: TLS interception (MITM) by enterprise proxies is technically a "controlled MITM" — the corporation installs its own root CA on every employee's device, and the proxy issues replacement certificates on the fly. This works fine for company-owned devices but breaks badly for BYOD or external services with cert pinning.
Go deeper:
Proxy server (Wikipedia) — forward/transparent/intercepting web proxies and TLS interception, generalizing the example.