SphereShield Teams / Webex topology Proxy data flow

The following is one of the options for the deployment of SphereShield for Teams & Webex.

Hosted Proxy topology


On-prem Proxy topology (for PC only requirement)


  1. Client 1 sends a message/file to client 2, this is forwarded to the Bastion via network configuration / PAC file. 

  2. The Bastion receives the message and sends it to the Teams Protector for inspection. 

  3. Teams Protector requests the relevant policy from the internal services API (ISA) that includes the EW & DLP engines.

  4. ISA checks in the DB for relevant policy (If not stored in the AP cache) 

  5. ISA fetches relevant policy 

  6. ISA returns policy to the Teams Protector. 

  7. Teams Protector enforces the policy if to allow, block or replace the message. 

  8. If traffic is allowed Bastion will send the message / allow the operation to Office 365 cloud. 

  9. The message is delivered to client 2 



Webex DLP dataflow


Hybrid - Proxy for PC + API for mobile

Forward Proxy for PC and API for all devices

Mobile proxy is only possible for IOS fully managed (supervised) devices. MDM solution must be able to forward mobile traffic to Bastion (not part of AGAT solution) It is not supported for Android.

AGAT recommends addressing mobile devices by API using the Hybrid mode





Additional Proxy related topologies

Full proxy data flow (PC & Mobile)

This topology is not released. Consult with AGAT support to better understand the requirements.

Reverse Proxy (coming soon)

SphereShield Reverse Proxy, used for agentless real-time solutions for PCs. This solution requires ADFS and does not cover mobile. For mobile AGAT recommends including the API