A forwarding proxy allows you to publish external Domain Name Service (DNS) information to your intranet and vice versa, depending on the rules you set up. Thus, it will restrict access into and out of your intranet - your proxy server can be configured not to provide resolution for, oh, www.illegalswedishporn.com (to use a made-up URL I use in my consulting examples). Or to exclude youtube, facebook, or any other social networking or otherwise counterproductive site. But there are other ways of getting this. My ASA 5505 firewall will let me exclude whatever categories I want, obviating the need for a forwarding proxy server.



More useful, it will also allow authenticated clients to gain DNS information about clients in the inside network. Useful for VoIP and for things like allowing a client to connect to your email server through the firewall, rather than with a VPN. In my company, we use it for Microsoft Office Communications Server, and for Exchange access. Any other access requires that you open a VPN tunnel to find the servers (or other clients) you want. Since the client is authenticating (in our case via the domain login and password), you have a measure of security. Since it is not two factor security (use of a VPN key plus the password), it is not deemed acceptable for access to critical or confidential information (payroll records, engineering, etc.). In my home/office network with the Cisco ASA 5505, I could put a proxy server in the DMZ and use it to allow authenticated accesss to whatever service I wanted - again using obfuscated port numbers (I may use 12345 for smtp, just to preclude unauthorized folks from hitting my mail server).



In the cases I've used, we've proxied http, using a different port than the Well Known Port (80 being the WKP), which I'd recommend as a way of at least slowing the scoundrels down. I've attached a link to the IANA port number list. You can edit a file, depending on your OS, to change the port used by a service (as I recall, in UNIX it was /etc/services - I do routers, switches, and wireless these days, so have to look things up).



From a Microsoft slide deck on VoIP and OCS/LCS:



Forwarding Proxy Server

Two Types: Internal and External

Internal Edge Server is a load distributor and enforces authentication for external clients

External Edge server is a base SIP proxy used for routing and is located in DMZ

Well the DMZ is outside the firewall, so forwarding ports in a DMZ would facilitate external applications from communicating with what is inside the protected network. Think VPN, P2P.

I have no problem whatsoever with people who are disabled claiming disability or incapacity benefit. I have no problem either with low paid workers who need to claim benefits in order to survive. I do, however, have a problem with a western country whose minimum wage is so poor that low paid workers have to claim benefits in order to survive and which, when it raises tax levels penalises the poor and those on pensions. I have a massive problem with people who have decided not to work but breed large families in order to gain the sort of benefits that it would take a working person to earn £40,00 per annum to equal. Ditto so called disabled people who have enormous families. How, exactly, are they disabled? Certainly not physically by the sound of it. I do not think that the taxpayer should support these leeches.