Application level gateways are of two types these days.

One is a complete application like a http web or proxy server acting like a reverse proxy for a web server.

Examples of this is Squid, Apache or Nginx acting as a reverse proxy for a weak server like Outlook web access.

This protects the outlook web access server from many potential http and https based attacks.

ATRC has implemented http and https with a Squid proxy for outlook web access in production environments.

The other type of application level gateways are those which analyze traffic and try to interpret the protocol for compliance before forwarding the connection.

An example of this is Cisco PIX ASA acting like an application level gateway and dropping malicious traffic.

The issue with firewalls ( deep packet analyzer ) acting like real applications is that from our experience there are many issues and some legitimate traffic is dropped or not allowed through.

An example is Cisco PIX ASA not allowing all Kerio SMTP connections.

To solve this issue, we had to tell the firewall to not analyze the SMTP traffic.

For Exchange server SMTP out to internet we implemented a postfix server as a forwarder.

Also for incoming SMTP we configured the postfix server to receive and then forward to the internal Exchange server.

This allows weak protocol management application like Exchange to work peacefully behind an well built, reliable and secure application such as postfix to handle the real world communications.

Another related use case we have developed is an MITM HTTPS proxy server. Since more than 90% of the traffic these days is https and to cache it, the HTTPS connection needs to have a proxy server between the browser and the web server. This method is used by VPN providers, ISPs and our WIFI servers for providing some services. The advantage is that HTTPS traffic can be cached. The disadvantage is that a certificate is required for each network being cached. In the future, we might create multiple certificates so each browser or user can have their own certificate for using the proxy server and its services.