Introduction
Securing unmanaged devices has always been a challenge. While the ideal scenario involves every device using a managed client like Cloudflare One, reality often demands alternative solutions. Whether dealing with virtual desktops, mergers, or compliance restrictions, you still need robust security. Cloudflare’s Gateway Authorization Proxy bridges this gap by shifting identity verification from devices to the network itself.
The Problem with IP-Based Security
Traditional proxy systems rely on static IP addresses to identify users. This approach is flawed. Imagine a security guard who only recognizes cars, not drivers. If a user switches locations or devices, access breaks. This creates three major issues:
- Anonymous Logs: You know the IP but not the user.
- Brittle Policies: Changes in location disrupt access.
- Manual Maintenance: PAC files require constant updates.
How the Authorization Proxy Works
The Gateway Authorization Proxy introduces a “badge system.” Instead of relying on IPs, it uses Cloudflare Access to verify user identity before applying policies. Here’s the flow:
- First visit: Redirects to Cloudflare Access for login.
- Generates a secure JWT cookie for the domain.
- Subsequent visits use the cookie for instant access.
This process is invisible to users, leveraging Cloudflare’s global network for speed and reliability.
Key Benefits
True Identity Integration
Logs now show exact user activity. Create rules like “Finance team only” without client software.
Flexible Identity Providers
Supports Okta, Azure AD, and more. Ideal for mergers where multiple IDPs are needed.
Simplified Billing
Users occupy a “seat,” aligning with Cloudflare One’s billing model.
PAC File Hosting Made Easy
Cloudflare now hosts PAC files, eliminating manual setup. Use starter templates or let Cloudy (Cloudflare’s AI assistant) explain your PAC file’s logic instantly.
When to Use the Auth Proxy
- Virtual Desktops: Users access the web via VDI without client software.
- Mergers & Acquisitions: Rapidly unify security across two companies.
- Compliance Constraints: Enforce security where software installation is prohibited.
What’s Next?
Cloudflare is expanding identity methods for Authorization Endpoints. Expect support for Kerberos, mTLS, and traditional username/password authentication soon. The Gateway Authorization Proxy and PAC File Hosting are available in open beta today.
Conclusion
The Gateway Authorization Proxy redefines network security for unmanaged devices. By combining identity verification with Cloudflare’s infrastructure, it offers Zero Trust capabilities without client software. Ready to test it? Visit the Cloudflare dashboard’s “Resolvers and Proxies” section. For more on SASE and Secure Web Gateway solutions, explore Cloudflare’s resources.







