For many years now I have used WSAM for a some web based medical applications that don't work properly when rewritten. I am now trying to find a work around for a java app that did work in 6.4 (rewritten) but doesn't in 6.5 (working with Juniper but no solution yet). I am playing around with passthrough proxy, which fixes my Java issue, and got to thinking why I'm using WSAM for the medical apps. We don't own or control the PCs that connect to us (physician offices) and everytime we have to do installs or do upgrades, WSAM causes headaches.
All the apps are web based with some kind of component also loaded locally so why would someone not use passthrough proxy instead of WSAM? Are there any security issues to consider?
PassThroughProxy (PTP) is considered an alternative to rewrite but its more like a best effort approach. There may not be any security issues in using PTP as such because the traffic still needs to go via the SA device with a valid session on it.
Its more related to overheads involved with deploying a PTP solution as compared to a WSAM solution.
With PTP you will need to take care of either publishing new DNS fqdns for all you apps that you intend to use via PTP or need to open firewall ports for each application.
I am guessing that the locally loaded components are at least part of the reason for using WSAM rather than the core rewriter. The passthrough proxy rewriter has similar restrictions as the core rewriter in that locally loaded applications/components do not work (they need a direct connection either hard-coded or for some other reason).
There are no security concerns, per se, with using passthrough proxy; however, there are a couple items that need to be kept in mind when working with it (as you ran into with the Java application you now have working temporarily):
1) The IVE port option requires the high port you utilize to be open; from your note, it looks like these users will be connecting from diverse networks that may or may not have these ports already open/willing to be opened
2) The virtual hostname option, which removes the above issue, requires another DNS entry and if you do not have a wildcard certificate another IP address and certificate.