We'd love to hear about it! Click here to go to the product suggestion community
We are going to stop using standard web filtering but we are interested by keeping username instead of IP address in the log files.
Do you know if we can do that using the proxy in transparent mode with SSO and HTTPS scan.
Thanks for your feedback or recommandations.
You are mixing multiple concepts:
Specifically: When HTTPS Scanning is OFF and a user accesses an HTTPS website:
There are several possible approaches to the username problem:
My research has shown that there is a lot of non-browser traffic which ignores Standard Proxy settings. This includes fat-client applications, anti-virus and other automatic update applications, and some operating system overhead. I recommend using Transparent Mode to ensure that this traffic is monitored, and I recommend implementing an unauthenticated users policy for Transparent Mode to ensure that this traffic is allowed.
At the same time, I recommend using Standard Mode for browser-based traffic, because it monitors non-standard ports.
Finally, you must have a firewall rule to block UDP 443 or the Chrome QUIC protocol will be used to bypass your web filter completely.
In reply to DouglasFoster:
A Transparent Mode Filter Profile also acts as a Standard Mode Filter Profile (undocumented feature). So if you really want to switch, you have to remove the Standard Mode settings from your clients. Removing the settings is also important for performance reasons.
Create an Exception object that bypassess all features, and migrate your proxy script "DIRECT" sites into that exception. This will have the same effect and will work equally well, whether using Standard Mode, Transparent Mode, or both. The Transparent Mode Skip list is unsuitable because it is based on IP address rather than URL.
Proxy script exceptions are unsuitable it Both mode because the Standard Mode exceptions will fall into Transparent Mode, where the script exception only bypasses Standard Mode.