Understand Multicloud Gateway Proxy Non-HTTP(S) Traffic Flow

Available Languages

Download Options

  • PDF     (180.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (266.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (178.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 31, 2024
Document ID:222267

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how the Cisco Multicloud Defence Gateway handles the TCP traffic (other than the web), when a forward proxy is configured.

    Prerequisites

    Requirements

    Cisco recommends that you know these topics:

    • Basic knowledge of cloud computing
    • Basic knowledge of computer networks

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Proxy

    A proxy serves as a go-between for two network endpoints. It functions as a gateway that transitions from one network to another for specific applications. Proxies control and simplify request complexity through their request process and forward capabilities. They provide different levels of functionality, security, and privacy, and prove beneficial in web browsing and data protection. 

    .

    Multicloud Gateway Forward Proxy

    This diagram shows the network flow when the multicloud gateway is placed in the path between the client and the server and the multicloud gateway is configured to act as a forward proxy. 

    MCD Forward ProxyImage - MCD Forward Proxy

    note-icon

    Note: This process is applicable for SSH traffic when your client is set up to use the multicloud gateway as a proxy to connect to the SSH server.

    1. The TCP 3-way handshake is Initiated between the client and the multicloud gateway.
    2. The client sends a CLIENT HELLO to the server. This CLIENT HELLO contains the Server Name Identifier (SNI). Gateway intercepts this packet and performs the FQDN filtering policy.
    caution-icon

    CautionCertain applications configured to utilize automatic negotiation protocols, such as those determining SSH version, must not transmit the Client Hello.

    3. If the traffic is allowed, the gateway initiates a new TCP handshake request to the server and forwards the Client Hello. (as received from the client)

    note-icon

    Note: If the server has not received any packets from the multicloud gateway, it could be because the Client did not send the Client Hello.

    4. The multicloud gateway forwarded the Server Hello to the Client.

    5. After the Certificate Exchange, all the packets are sent out as it is without any action

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    31-Jul-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Amirhossein Mojarrad
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products