Proxy Considerations

  • Article

patterns & practices Developer Center

  • When should I use a channel factory?
  • When do I need to expose a metadata exchange endpoint for my service?
  • How do I avoid proxy spoofing?

When should I use a channel factory?

Use a channel factory when you control both ends of the wire and would rather code directly against the same common language runtime (CLR) interface instead of manually keeping the Web Services Descriptive Language (WSDL) interface in sync. Instead of using WSDL as the shared contract, you use a shared “interface assembly.”

When do I need to expose a metadata exchange endpoint for my service?

Expose the metadata exchange (mex) endpoint to share the service metadata so that client programs can use the metadata to generate a proxy file to include in their code, in order to call service objects.

Additional Resources

How do I avoid proxy spoofing?

Publish your service metadata over Secure HTTP (HTTPS) to protect clients from being spoofed when adding a service reference. If you expose your service metadata over HTTP, clients cannot be certain that they have added a reference to the right service—the service may have been spoofed through DNS poisoning or a man-in-the-middle attack. To publish your service metadata over HTTPS, use mexHttpsBinding and configure a server certificate for the service.

If you are running your service in a scenario in which mutual authentication has been turned off, be aware that your service might be spoofed by a malicious attacker. Without mutual authentication, calls to your service might be diverted to a malicious service through DNS poisoning or a man-in-the-middle attack.

The following scenarios will result in mutual authentication being turned off:

  • If you turn off message and transport security on your binding
  • If you use basicHttpBinding, which has message and transport security turned off by default
  • If you use NTLM authentication

Additional Resources