How does ProxyTrust work?  How does it protect against spoofed headers?

Discussion created by RobertRich on Jan 28, 2014
Latest reply on Jan 31, 2014 by Chris_Hackett

I'm considering implementing ProxyTrust in a two tier web server architecture with Apache mod_proxy out front of IIS.  

The problem is that I can't find much technical information on precisely how the web agent with ProxyTrust enabled is authenticating the upstream authorization decisions.  If users have direct access to the backend web sever with ProxyTrust enabled, can they still interact with it as a normal SiteMinder protected application?