This article explains various features & operation modes of Sophos Web Filtering.
If you're looking for instructions or examples of how to configure UTM Web Protection, please see the Administrator Guide, section 9 (page 285).
Known to apply to the following Sophos product(s) and version(s)
Sophos UTM Software ApplianceSophos UTM
Operating systems v7, v8, v9
Transparent modes do not require proxy settings within client browsers be enabled. These modes are the simplest to implement, since no client browser configuration is necessary.
There are two different transparent operation modes available, Transparent and Transparent with Authentication.
Transparent mode applies the same filtering options to all computers within the networks that it is configured to protect. It does not authenticate users, and cannot differentiate by anything other than IP address.
Standard modes require that the browser be configured to use or to look for a proxy server. They require some initial setup, but when done correctly, can offer the maximum amount of flexibility.
These standard operation modes are available:
This mode does not support any form of authentication. Clients may only be filtered by source IP address.
This mode activates the Sophos Authentication Agent (SAA). The agent has to be installed and can be downloaded via the WebAdmin page Definitions & Users > Client Authentication or the User Portal. Users have to start the agent and authenticate in order to be able to use the web filter.
This mode allows username-based tracking, reporting and surfing without client-side browser configuration. You can enable a disclaimer that is additionally displayed on the dialog window for login and needs to be accepted by users to be able to go on.
Basic User Authentication mode will request authentication when new connections are made to the proxy. Client browsers will request this authentication in the form of a popup authentication dialog box. Once authenticated, clients will be able to surf without being authenticated until their session ends.
Active Directory SSO (single sign-on) mode requires that UTM be joined to the Active Directory domain. Using Kerberos or NTLM, every web session is authenticated silently. The browser is prompted to provide a valid authentication token, which is validated against the AD server. If this process fails, or the account information is invalid, the Authentication fails and it depends of the Browser if a prompt will appear to request credentials from the user. Provided credentials are validated by the directory server.
eDirectory SSO mode requires that UTM be configured with credentials to communicate with at least one eDirectory server within the eDirectory tree. UTM will then communicate with the directory server to track the IP address of all logged in users. When a web request is made by a client, the source is checked against all current logged in users. If no user is known to be logged in at the requesting client, then UTM will fallback to Basic User Authentication mode, and prompt the browser to request credentials from the user. Provided credentials are validated by the directory server.
Apple OpenDirectory SSO mode requires to upload a MAC OSX single sign-on Kerberos keyfile. In this mode clients must have specified the web filter as HTTP proxy in their browser configuration.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.