The single most reliable signal in web filtering scenarios is whether the user is always on the corporate network or sometimes off it. The exam uses this to discriminate between deployment models:
- Forward proxy / NGFW URL filter — only works when user traffic passes through the corporate perimeter device. A remote employee on home Wi-Fi or a hotel network bypasses it entirely unless also connected via VPN.
- Agent-based filtering — installed on the device itself. Policy is enforced locally regardless of which network the user connects to. No VPN, no corporate perimeter needed.
The exam trigger phrases:
- “Must work regardless of which network the employee uses” → agent-based
- “Remote workers, traveling employees, work-from-home” without a VPN requirement → agent-based
- “Centralized control for all users in the office” → forward proxy or NGFW
- “Caching to reduce external bandwidth” → forward proxy (agents do not cache)
A common distractor: DNS filtering with a cloud resolver also works off-network — but only if the device is guaranteed to query that specific resolver. Without an agent, a user can simply change their DNS settings. When the exam asks for the most reliable always-on solution, agent-based wins.
The exam distinguishes these two proxy types through a single clue: whether client-side configuration is required. Read for it explicitly:
- “The browser/application must be configured to use the proxy” → explicit proxy. An unconfigured application bypasses it. IT often pushes this configuration via Group Policy.
- “No configuration required on the client” / “users are unaware their traffic is proxied” → transparent proxy. Network infrastructure redirects traffic to the proxy; the application has no knowledge of its existence.
The exam trap: A question describes a proxy that “works silently in the background” or that “intercepts traffic without the user knowing.” Candidates often answer “agent-based” because agents also run silently. The difference: a transparent proxy is a network device the user’s traffic passes through; an agent is software installed on the user’s own device. If the question mentions network infrastructure routing, think transparent proxy, not agent.
Secondary distinction — explicit proxy limitation: If an application is not configured to use the explicit proxy, it communicates directly — bypassing the proxy entirely. Transparent proxies close this gap by intercepting at the network layer before the packet leaves the subnet.
The most common mistake candidates make with DNS filtering is treating it as a web browsing control. It is not. DNS filtering intercepts DNS lookups, and any application that resolves a domain name — not just a browser — is affected.
The critical exam scenario: Malware installed on an endpoint needs to contact a command-and-control (C2) server. The malware performs a DNS lookup for the C2 domain. If that domain is on the DNS blocklist: the DNS server returns no IP address → the malware cannot initiate a TCP connection → C2 communication fails. This happens even if the malware never opens a browser, uses a non-standard port, or runs entirely in the background.
What DNS filtering stops vs. what it does not:
- Stops: connections to known-malicious domains by any application; phishing sites; malware C2 callbacks using domain names; newly registered bad domains added to threat intelligence feeds
- Does not stop: connections to malicious IP addresses (no DNS lookup required); encrypted DNS (DoH/DoT) that bypasses the filtering resolver; malware that hardcodes IP addresses instead of using domain names
Exam phrase triggers for DNS filtering: “Before connecting… a DNS lookup is performed” → DNS filtering. “No IP address is returned for the malicious domain” → DNS filtering. “Blocks at the name resolution stage” → DNS filtering.
Category filtering and reputation filtering are both URL blocking mechanisms, but they answer different questions. The exam will mix them in scenarios; knowing which dimension is being tested prevents wrong-answer selection.
- Category filtering asks: What type of content is on this site? (Gambling, Adult, Educational, Malware, Social Networking…). A site blocked by category is blocked because of its topic, regardless of whether it is safe or dangerous.
- Reputation filtering asks: How risky is this site? (Trustworthy → Low Risk → Medium Risk → Suspicious → High Risk). A site blocked by reputation is blocked because of its perceived danger level, regardless of its topic.
Why both are needed together: A legitimate gambling site is blocked by category policy (wrong topic for the workplace) even if it has a Trustworthy reputation. A brand-new phishing site may not yet be in any bad category, but its reputation score will be High Risk immediately — caught by reputation filtering before category rules help.
Exam scenario triggers:
- “Blocked because it is categorized as Gambling” → category filtering
- “Automated scan assigned a High Risk score” → reputation filtering
- “Administrator manually changed the site’s rating” → reputation filtering (manual override)
- “Blocked even though no category matched” → reputation filtering