Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 17225 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Force specific Clients to use transparent HTTP Proxy

Sally

Hello,

I have setup the Sophos UTM 9,5 for my Home Network. Ground configuration was done by the Auto Wizard. Clients get DHCP configuration from UTM. GW / DNS for Clients is the Internal UTM IP Address. Under Network Services - DHCP I add static all the Internal Devices like TV, Multimedia PC, iPhones etc. 

When I connect from my PC to Internet I can surf with Proxy Port 8080 and without Proxy...

How can I define for specific clients that they have to go through the proxy?

 

Thx

Sally



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    In the configuration with "transparent mode" are all routed via https - see "Allowed Networks" under Web Protection -> Webfilter-> Global.
    An exception is the "Bypass Users" under WebProtection -> Filtering option or "Skip Transparent Sourcec ..." under WebProtection -> Filtering option -> Misc

  • 0 in reply to Ulf N.

    Hello Ulf,

     

    thanks for your answer. Internal Allowed Networks under Web Protection -> Web filter -> Global / Transparent Mode / Authentication None is defined.

     

    Firewall Rule:

    Internal -> Web Surfing (Services HTTP Proxy, HTTP, HTTP WEB Cache, HTTPS) ->Any

     

    What I not yet really understand is, how can I assure that for some devices the traffic really go to the HTTP / HTTPS Proxy? Do I have to adapt also the Firewall Rule?

     

    Thx

    Sally

  • 0 in reply to Sally

    Hi,

    if you define the network -> Global under "Default Web Filter Profile" / "Allowed Networks", eg "internal network" under Web Protection -> Web filter -> Global, all clients in the network are defined according to "Default Web Filter Profile "Under Web Protection -> Web filter ->" Web Filter Profiles ".

    In the "Skip Transparent Source ..." under WebProtection -> Filtering option -> Misc  will IPs, URLs and networks ... not be subject to the transparent interception of HTTP/S traffic - allow unproxied to Internet.

    Allow HTTP/S traffic for listed hosts/nets must be activated.


    You do not need a new firewall rule
    The standard FW-Rule internal -> Web Surfing -> Internet IPv4 vs any is sufficient.

Reply
  • 0 in reply to Sally

    Hi,

    if you define the network -> Global under "Default Web Filter Profile" / "Allowed Networks", eg "internal network" under Web Protection -> Web filter -> Global, all clients in the network are defined according to "Default Web Filter Profile "Under Web Protection -> Web filter ->" Web Filter Profiles ".

    In the "Skip Transparent Source ..." under WebProtection -> Filtering option -> Misc  will IPs, URLs and networks ... not be subject to the transparent interception of HTTP/S traffic - allow unproxied to Internet.

    Allow HTTP/S traffic for listed hosts/nets must be activated.


    You do not need a new firewall rule
    The standard FW-Rule internal -> Web Surfing -> Internet IPv4 vs any is sufficient.

Children
  • 0 in reply to Ulf N.

    Hi Ulf,

     

    thanks for the detailed information. To reach my external Webserver with Public IP / Port 8443, I set an FW Rule to allow from Internal Network -> Service 8443 -> Any, and this works fine. When I set in Safari Browser, http / https proxy manually to FW IP / Port 8080  (UTM is still in Transparent Proxy Mode) , then I get the Error:

     

    An error occurred while handling your request

    While trying to retrieve the URL:
    https://82.1x.x.x:8443/
    The content could not be delivered due to the following condition:
    Target service not allowed
     
     
    When I set in Safari to use explizit no Proxy then I reach the web server without. What are the Client settings in Transparent Mode, just no proxy or auto proxy discovery?
     
    Thanks a Lot!
     
    Regards
    Sally
     
     
     
     
     
     
     
     
     
  • 0 in reply to Sally

    Target service not allowed

    There's your answer. You need to allow port 8443 through your proxy. Web Protection - Filtering Options - Misc

    But you're internal are you not? Why access the external IP from inside?

  • +1 in reply to rsenio

    Hi,

     

    yes, I'm internal but the web server is hosted by external provider so I connect to external ip. I was thinking it is enough, to only set Firewall Rule from Internal 8443 to Internet to reach my server. So I will also add the Port to Misc.

     

    Thx

    Sally

  • 0 in reply to Ulf N.

    You need at least a "Web Surfing" or "http/s" firewall rule when you do not use the button "Allow HTTP/S traffic for listed hosts/nets". My trainers in the UTM certification courses warned me to use this checkbox, because you automatically allow any traffic for all skipped networks/hosts, which in some cases is not that what is planned.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    Hi Kevin, 

     

     thanks, the checkbox Allow HTTP/S traffic for listed hosts/nets was marked, so I disabled this yet. Do you have some other Tipps from the courses regarding best Proxy Settings?

     

    Regards

    Sally

Unfiltered HTML