SphereShield for MS Teams / Webex topology Proxy data flow

The following is one of the options for the deployment of SphereShield for Teams & Webex.

Hosted Proxy topology


On-prem Proxy topology (for PC only requirement)


  1. Client 1 sends a message/file to client 2, this is forwarded to the Bastion via network configuration / PAC file. 

  2. The Bastion receives the message and sends it to the Teams Protector for inspection. 

  3. Teams Protector requests the relevant policy from the internal services API (ISA), including the EW & DLP engines.

  4. ISA checks in the DB for relevant policy (If not stored in the AP cache) 

  5. ISA fetches relevant policy 

  6. ISA returns policy to the Teams Protector. 

  7. Teams Protector enforces the policy if to allow, block or replace the message. 

  8. If traffic is allowed, Bastion will send the message / allow the operation to Office 365 cloud. 

  9. The message is delivered to client 2 


Webex DLP dataflow

Webex DLP covers files and messages.

Files are best addressed using inline API, meaning the file is not delivered to the client until it is inspected by SphereShield.
For this approach, there is no need for a proxy, and there for covers both mobile and PC
As for messages- SphereShield offers a near real-time approach for handling all devices without a proxy or an inline real-time approach using a proxy for PCs only.
When implementing real-time message inspection, the message goes through the proxy, which disables the SSL. Then, it is offloaded to a NodeJS server that decrypts the internal customer encryption layer and returns the result to the Proxy. The clear messages is then sent to the DLP provider configured in SphereShiled. Using this approach, the message never reaches the Cisco cloud before being validated, and if the solution is hosted by a private instance / on=prem, it never leaves the company's control.

Hybrid - Proxy for PC + API for mobile

Forward Proxy for PC and API for all devices

Hybrid high-level diagram

Mobile proxy is only possible for IOS fully managed (supervised) devices. MDM solution must be able to forward mobile traffic to Bastion (not part of AGAT solution) It is not supported for Android.

AGAT recommends addressing mobile devices by API using the Hybrid mode

Additional Proxy related topologies

Full proxy data flow (PC & Mobile)

This topology has not been released. Consult with AGAT support to better understand the requirements. The customer must configure a mobile device to route traffic to the proxy. This is typically done using MDM solution and required the device to be fully supervised by company

Reverse Proxy (on Roadmap )

SphereShield Reverse Proxy, used for agentless real-time solutions for PCs. This solution requires ADFS and does not cover mobile. For mobile AGAT recommends including the API