Threema is one of the few messengers that was genuinely developed with corporate security in mind: end-to-end encryption, minimal metadata, servers in Switzerland. However, it also has a vulnerable point — the network level. If your provider blocks traffic, the corporate IT department restricts connections, or you need to hide the very fact of using a messenger — a proxy is essential.
In this article, we will explore how to connect a proxy to Threema Work and the regular version, which type of proxy is suitable for corporate tasks, and how to maintain security during the setup.
Why Threema Needs a Proxy: Real Corporate Scenarios
Many believe that since Threema encrypts everything with end-to-end encryption, a proxy is unnecessary. In practice, this is not the case. Encryption protects the content of messages but does not hide the fact of connecting to Threema servers. Most corporate problems arise at the network level.
Let's consider specific situations in which a proxy becomes a necessity:
Scenario 1: Regional Blocks
In several countries and corporate networks, traffic to Threema servers is blocked at the firewall level. This is especially relevant for companies with offices in countries with strict internet regulations. An employee opens Threema Work and sees a connection error. In this case, the proxy acts as an intermediary node: traffic goes not directly to Threema servers but through an IP address in a permitted jurisdiction.
Scenario 2: Corporate IT Control
Large corporations often route all employee traffic through a corporate proxy server for monitoring, filtering, and logging. If Threema Work is not configured to work through this proxy, it simply will not connect in the office network. IT administrators need to explicitly specify the proxy in the application configuration; otherwise, the messenger will be unavailable on work devices.
Scenario 3: Competitive Intelligence and Anonymity of Negotiations
For top management and legal departments, not only the content of negotiations is important but also the metadata: from which IP communication is conducted, and in which region the participants are located. A proxy allows hiding the real IP address of the corporate office or a specific employee — especially during M&A negotiations, where even the fact of communication with a certain party can be sensitive information.
Scenario 4: Remote Employee Work
Remote employees from different countries face unstable connections to Threema servers. A proxy with servers in the required region helps reduce latency and ensure a stable connection — especially for teams in Asia, Latin America, and Africa, where direct connection to Threema's Swiss servers may be unstable.
It is important to understand:
A proxy does not replace Threema's encryption — it operates at a different level. Together, they provide a double layer of protection: the content is encrypted, and the source of the traffic is hidden.
Threema Work vs Regular Threema: What’s the Difference for Business
Before proceeding to the setup, it is important to understand which version you are working with. This affects how the proxy is configured.
| Parameter | Threema (Personal) | Threema Work (Corporate) |
|---|---|---|
| Management | User | IT Administrator via MDM |
| Proxy Setup | Through device system settings | Through MDM profile or config file |
| SOCKS5 Support | Depends on system settings | Supported through configuration |
| Security Policies | No | Centralized policies |
| Target Audience | Individuals | Companies with 10 or more people |
For most corporate scenarios, Threema Work is used — it allows the IT administrator to centrally manage settings, including the proxy, through an MDM system (Mobile Device Management) — for example, Jamf, Microsoft Intune, or VMware Workspace ONE.
If you are using regular Threema — the proxy is set up through the device's system settings (Wi-Fi proxy on iOS or global proxy on Android). This is less flexible but a workable option for small teams.
Which Type of Proxy to Choose for Threema
Not every proxy is equally suitable for a corporate messenger. Let's break down the main types and their applicability to Threema.
Residential Proxies
Residential proxies use IP addresses of real home users. This is the most inconspicuous type: traffic from such an IP looks like that of an ordinary internet user, not a corporate server. For Threema, this is important in cases where it is necessary to bypass blocks based on IP type — many firewalls block data center IPs, while residential addresses are allowed.
The downside of residential proxies for a corporate messenger is IP rotation. If the proxy changes the address every few minutes, it can create authorization issues in Threema. Therefore, for this task, you need to choose residential proxies with sticky sessions — a fixed IP for a long time (from 10 minutes to 24 hours).
Mobile Proxies
Mobile proxies operate through IP addresses of mobile operators (3G/4G/5G). This is the most trusted type of traffic from the perspective of any filtering systems — mobile IPs rarely end up on blocklists. For Threema, mobile proxies are especially good if employees use the app on smartphones: the traffic fits organically into the mobile pattern.
Mobile proxies are more expensive than residential ones, but for corporate security, these are justified expenses — especially for top management and legal departments, where the anonymity of negotiations is critical.
Data Center Proxies
Data center proxies are the fastest and most affordable option. They are well-suited for bypassing corporate firewalls within the company when the IT administrator sets up the proxy server to route Threema traffic. However, if the task is to hide corporate traffic from external observers, data center IPs are easier to identify as "non-residential."
| Proxy Type | Speed | Anonymity | Best Scenario for Threema |
|---|---|---|---|
| Residential | Average | High | Bypassing regional blocks |
| Mobile | Average | Maximum | Top management anonymity |
| Data Center | High | Medium | Corporate proxy server |
Setting Up a Proxy in Threema on Android
On Android, there are two ways to connect a proxy to Threema: through the Wi-Fi system settings or through a proxy app (e.g., ProxyDroid or Shadowsocks). The first method is simpler, the second is more flexible.
Method 1: Through Wi-Fi Settings (HTTP Proxy)
This method works if your proxy supports the HTTP/HTTPS protocol. Steps:
- Open Settings → Wi-Fi on your device.
- Press and hold the connected network — select “Modify Network”.
- Expand “Advanced Options”.
- In the “Proxy” field, select “Manual”.
- Enter the Proxy Host (IP address of your proxy server) and Port.
- If the proxy requires authentication — specify the username and password in the respective fields (available on Android 10+).
- Press “Save” and restart Threema.
Check the connection: in Threema, go to Settings → About Threema and click on the version to send diagnostics — if the connection is established, the app will show a green status.
Method 2: Through SOCKS5 (for Advanced Users)
Android does not support SOCKS5 at the system level directly. To use SOCKS5 with Threema, use the ProxyDroid app (requires root) or set up a tunnel via SSH. Corporate users may find it easier to use a corporate VPN in conjunction with the proxy — this is a more manageable solution.
Tip for Corporate Deployment:
If you manage employee devices through MDM (e.g., Microsoft Intune), the proxy setup can be centrally applied to all corporate Android devices through a configuration profile. This eliminates the need to set up each device manually.
Setting Up a Proxy in Threema on iPhone (iOS)
On iOS, Threema uses the system proxy settings — there is no separate setting within the app. The proxy needs to be configured at the Wi-Fi network level or through an MDM profile.
Setting Up via Wi-Fi
- Open Settings → Wi-Fi.
- Tap the (i) icon next to the connected network.
- Scroll down to the “HTTP Proxy” section.
- Select “Manual”.
- Enter the Server (proxy IP address) and Port.
- If authentication is required — toggle the “Authentication” switch on and enter the username and password.
- Tap “Done” — iOS will automatically apply the settings to all apps, including Threema.
Setting Up via PAC File
For corporate use, it is more convenient to use a PAC file (Proxy Auto-Configuration) — it allows you to set rules: which traffic goes through the proxy and which goes directly. For example, you can route only Threema traffic through the proxy while leaving other traffic unchanged.
- In the “HTTP Proxy” section, select “Automatic”.
- Enter the URL of the PAC file provided by your IT department.
- iOS will download the configuration and apply it automatically.
Setting Up via MDM (Jamf, Intune)
The corporate way is to deploy a configuration profile through MDM. In Jamf Pro, this is done through Configuration Profiles → Network → Proxy. The profile is automatically applied to all corporate iPhones of employees without their involvement. This is the most appropriate approach for companies with a fleet of 20 or more devices.
Setting Up a Proxy in Threema on a Computer (Windows/Mac)
Threema Desktop (the computer version) also uses the system proxy settings of the operating system. There is no separate proxy setting within the app — this is an intentional architectural decision by the developers to simplify management.
Windows 10/11
- Open Settings → Network & Internet → Proxy.
- In the “Manual proxy setup” section, toggle the “Use a proxy server” switch on.
- Enter the Address (proxy IP) and Port.
- If you need to exclude local addresses — check the box “Don't use the proxy server for local addresses”.
- Click “Save” and restart Threema Desktop.
macOS
- Open System Preferences → Network.
- Select the active network connection (Wi-Fi or Ethernet) and click “Advanced”.
- Go to the “Proxies” tab.
- Enable the required type of proxy: “Web Proxy (HTTP)” or “Secure Web Proxy (HTTPS)”.
- Enter the address and port of the proxy server. If necessary — username and password.
- Click “OK” and “Apply”. Restart Threema Desktop.
Checking Proxy Functionality:
After setting up, open a browser and go to whatismyip.com — if the IP of your proxy is displayed instead of the real office IP, the setup has been done correctly. Then launch Threema Desktop and check the connection status.
Corporate Security: What to Consider When Deploying
Using a proxy with Threema in a corporate environment is not only a technical task but also an organizational one. Here are the key aspects to address before starting the deployment.
1. Choosing the Jurisdiction of the Proxy Server
Threema servers are located in Switzerland. For minimal latency, choose a proxy with servers in Western Europe. If employees work from Asia — look for proxies with points of presence in Singapore or Hong Kong. Important: ensure that the jurisdiction of the proxy provider does not require it to store and transmit traffic logs — this is critical for corporate confidentiality.
2. Proxy Provider Logging Policy
Request the logging policy (No-logs policy) from the proxy provider. For corporate communications via Threema, it is critical that the provider does not store metadata: who, when, and from which IP connected. Although the content of the correspondence is encrypted at the Threema level, connection metadata can be sensitive.
3. Protocol: HTTP vs SOCKS5
For Threema, it is recommended to use SOCKS5 if technically possible. SOCKS5 operates at a lower level and does not alter request headers — this is important for the proper functioning of push notifications and message synchronization. HTTP proxies also work but may create delays when transmitting binary data (files, voice messages).
4. Proxy Authorization: IP Whitelist vs Username/Password
For corporate use, authorization via IP whitelist is preferred — it does not require storing passwords on employee devices and is easier to manage. If employees work with dynamic IPs (e.g., from home), use username and password authorization with credential rotation every quarter.
5. Monitoring and Backup Proxy
For critically important corporate communications, set up monitoring for the availability of the proxy server. Use at least two proxies in different data centers — primary and backup. If the primary proxy is unavailable, employees should know how to switch to the backup without losing access to Threema Work.
Common Mistakes When Using Proxies with Threema
In practice, most problems with Threema's operation through a proxy arise from several typical mistakes. Let's discuss them in detail so you don't make the same errors.
Mistake 1: Using Free Proxies
Free proxies pose a direct threat to corporate security. They often log all passing traffic, may inject malicious code, and are frequently already blocked at the Threema server level. For a corporate messenger that you use precisely for security, a free proxy completely negates the advantages of Threema.
Mistake 2: Proxies with IP Rotation Without Sticky Sessions
If your proxy changes IP every 1-5 minutes, Threema will constantly lose connection and require reauthorization. The messenger needs sticky sessions — a fixed IP for at least 30 minutes. When choosing a proxy provider, be sure to clarify the maximum sticky session time.
Mistake 3: Proxy Only for Some Devices
A common situation: the proxy is set up on corporate laptops but not on employees' smartphones. As a result, the same Threema Work account connects either through the proxy or directly — from different IPs. This can raise suspicions with security systems and lead to account blocking. Set up the proxy uniformly on all devices of a specific employee.
Mistake 4: Ignoring DNS Leaks
Even with a configured proxy, DNS queries may bypass it — going directly to the provider's DNS server. This is called a DNS leak. As a result, despite the proxy, the real location of the office may be revealed. Check for DNS leaks on dnsleaktest.com after setting up the proxy. To eliminate this, use DNS-over-HTTPS (DoH) or configure a proxy with DNS proxying support (SOCKS5 with remote DNS).
Mistake 5: Proxy Without WebSocket Support
Threema uses WebSocket to maintain a constant connection to the server (push notifications, fast message delivery). Some HTTP proxies do not support WebSocket or block long-lived connections. Before choosing a provider, clarify WebSocket support — otherwise, notifications will arrive with delays or not at all.
Mistake 6: Lack of Testing Before Deployment
Before deploying the proxy on all corporate devices, test the configuration on 2-3 devices over a week. Check: connection stability, message delivery speed, functionality of voice calls, and file transfers. Only after successful testing proceed to mass deployment.
Conclusion and Recommendations
Threema is a powerful tool for corporate communications, but its security can be significantly enhanced by adding a proxy at the network level. A proxy addresses tasks that encryption alone does not cover: bypassing regional blocks, hiding corporate IP, routing traffic through the corporate firewall, and ensuring stable connections for remote employees.
Key takeaways from the article:
- To bypass regional blocks, use residential proxies with sticky sessions.
- For maximum anonymity of top management — mobile proxies.
- For corporate deployment, configure proxies through MDM (Jamf, Intune), not manually.
- Always check for DNS leaks after setup.
- Require the provider to support WebSocket and sticky sessions for at least 30 minutes.
- Never use free proxies for corporate communications.
If you are looking for a reliable solution to protect corporate communications via Threema, we recommend considering residential proxies — they provide a high level of anonymity, minimal risk of blocks, and support for sticky sessions necessary for stable messenger operation. For tasks where maximum anonymity of negotiations is critical, the optimal choice will be mobile proxies — their traffic appears most organically to any filtering systems.
```