Simplifying FedRAMP Compliance with Teleport
Jun 27
Register Today
Teleport logoTry For Free
Fork me on GitHub


Teleport Identity-Aware Proxy Service

The Teleport Proxy Service is an identity-aware proxy with a web UI. The Teleport Proxy Service provides the following key features:

  • Enables users to authenticate with a single sign-on identity provider or local credentials to access SSH and Windows desktops using the Teleport web UI.
  • Intercepts traffic for multiple protocols, including SSH, Kubernetes, HTTPS, and databases, and ensures that only authenticated clients can connect to target resources.
  • Records commands, API calls, and queries and streams them to the audit log.
  • Provides networking and connectivity so that servers and proxies behind firewalls can connect using reverse tunnels.
  • Enables system administrators to use TLS routing feature to compress all ports for all protocols to one TLS port using TLS routing feature.

To create a minimal Teleport cluster, you have run two services: Teleport Auth Service and Teleport Proxy Service. For your home lab, you can run both services as a one binary and process.

Web UI

In Web UI, Teleport Proxy implements WSS - secure web sockets - to proxy a target resource, for example SSH server or Desktop:

TLS Encryption

When using the web UI, the Teleport Proxy terminates traffic and re-encodes data for the client connection.


In IAP mode, users initiate the SSO or login flow to sign public keys on their client machines:

IAP Mode Security

We consider IAP mode more secure than Web UI access, because private keys never leave user's client. Client's connection to resource is mutually authenticated. This mode is also less vulnerable for web-related attacks, like CSRF or cookie hijacking, because browser is used less.


In this mode, resources behind firewall can establish reverse tunnels back to proxies. Proxies will forward client's connections to target resources via those tunnels.

In the example below, Alice connects to kubernetes cluster behind firewall via two tunnels:

All modes above are turned on by default in Proxies. No special configuration is necessary, unless you want to turn some of those modes off.

More concepts