This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Different web filtering profiles not working as intended

Hi, I'm having some trouble getting a proxy configuration to work correctly.

Actually a customer is using transparent proxy for his internal network - everything is working fine. Now he has a new VLAN where some guest workers are separated. He wants to deny all web traffic for this new VLAN except "windows updates".

I changed the "Default Web Filter Profile" to accept connections from both networks (UTM is gateway for both). HTTPS Scan Settings is set to "URL filtering only" and no policy is active for that profile. "Base Policy" is working with "Default content filter block action".

Then I created a new Policy for the internal network. "Allowed network" is only the internal network, HTTPS and mode settings set as in default profile, only the policy for the internal network with it's own filter action ("Allow all content, except...") is active. Surfing is working as before for the internal network.

Now I sat up nearly the same for the VLAN. "Allowed network" is only the VLAN network, HTTPS and mode settings as in default profile, an own policy with an own filter action (copy of "Default content filter block action", therefore "Block all content, except...") to disallow anything at first and to be able to allow some pages without changing the default filter action.

I did not use authentication anywhere and I did not use https-decryption, only "URL filter".

 

Now to my problems:

  1. if I call http://www.sophos.com from the VLAN the "content blocked (blocked category)" page is shown, okay so far but with a small failure: a "unblock page" button is also shown. I could live with that but I don't understand why it is shown.
  2. if I call https://www.sophos.com something weird is happening. The proxy behaves like if I have https-decryption active. First that is shown is a certificate error containing the UTM's proxy CA certificate. If I proceed the error the content blocked page is shown, too but the layout is completely destroyed.

Any hints where I have misconfigured something would be nice. Again, authentication and https-decryption is not active in any of the profiles, so why does the proxy behave like it is active?



This thread was automatically locked due to age.
Parents
  • Kevin, please show pictures of the 'Global' and 'HTTPS' tabs for the Default and Profiles.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, sure.

     

    Here is my global Profile. HTTPS settings are equal in the other profiles, so I will leave that part away for them.

    SP-LAN is the internal network, SP-ZEITSUPPORT is my testing virtual machine in the VLAN, sure I will change this to the whole VLAN if everything works without errors.
    SP-T2LTE is an interface with a small transfer network to a 4G/LTE connection that is used for web surfing since the SDSL connection is relatively small (5MBit).

    The profile for the internal LAN:

    and for the VLAN:

    One thing to mention: from logging the UTM is using the correct filter actions and is doing the right thin (blocks the content). But the authentication plus the SSL errors are confusing me.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • All perfect as expected, Kevin.  How about pics of the 'HTTPS' tab for the two Profiles?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Wait a minute, Kevin -  I bet we're making this more complicated than it is.  If you download the HTTPS Proxy CA into the PC you're testing with, does everything then look normal?  I bet it does because there is something unusual if an HTTPS access is blocked but the Proxy CA isn't available.  I haven't ever seen that because I always download the Proxy CA.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If I import the Proxy CA the https block page is shown as the http block page (with pictures) but the "Unblock URL" button is still in place.

    I don't get the failure why that profile is acting like a profile with authentication. In my opinion the button only makes sense if I use any authentication mode. But I think you are right. I tested it with our transparent proxy (without profiles)... if I open a https site that is blocked the failure is the same... seems I have to live with it. I thought I would need the Proxy CA only when using the decrypt & scan settings since the UTM itself says: "To avoid browser warnings when using Decrypt and Scan, ensure the HTTPS Certificate Authority is deployed to end users."

    "Do not proxy HTTPS traffic in transparent mode" is no real option in my opinion... most services use https today.

    The import of the Proxy CA is no option, too since the devices that I have to block are from external technicians where I have no access to.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • OK, I found out why the UTM showed the authentication button... there was an exception for the CEO to be able to override blocked pages. I never use this and therefore didn't check that tab (we took over the UTM from another IT service provider and didn't configure it completely new).

    The behaviour that the page layout is destroyed because the block page is shown in https too is OK for me. I think Sophos should fine tune this behaviour, in my opinion there is simply no need for having the block page shown in https. Maybe it is not changeable but it should be possible to load the images and stylesheets for it via http.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • AFAIK

    If the user goes to a HTTP page then the block page is shown in HTTP and the resources it loads (eg images) are also loaded in HTTP.

    If the user goes to a HTTPS page then the block page is shown in HTTPS (we have to serve the page on the same connection).  In this case the resources it loads are also loaded in HTTPS.  I think that if the images were loaded in HTTP the browser gives the user a warning about mixed content.

    I know that we resolved this in XG by loading all resources (including images) directly in-line with the page so that it is all delivered at once as part of the block page.  I don't know if there are any plans to do this on UTM, but that would be the way to fix this.

     

    When you turn on the Web Filtering proxy in transparent mode, it creates special hidden firewall rules for port 80 and port 443 that forward all traffic going through the firewall on those ports to the internal proxy.  The option "Do not proxy HTTPS" is there so that it does not make a firewall rule for port 443.  Instead you can create your own LAN->WAN rule for Service HTTPS (443) that allows all traffic directly through the firewall without being proxied.

Reply
  • AFAIK

    If the user goes to a HTTP page then the block page is shown in HTTP and the resources it loads (eg images) are also loaded in HTTP.

    If the user goes to a HTTPS page then the block page is shown in HTTPS (we have to serve the page on the same connection).  In this case the resources it loads are also loaded in HTTPS.  I think that if the images were loaded in HTTP the browser gives the user a warning about mixed content.

    I know that we resolved this in XG by loading all resources (including images) directly in-line with the page so that it is all delivered at once as part of the block page.  I don't know if there are any plans to do this on UTM, but that would be the way to fix this.

     

    When you turn on the Web Filtering proxy in transparent mode, it creates special hidden firewall rules for port 80 and port 443 that forward all traffic going through the firewall on those ports to the internal proxy.  The option "Do not proxy HTTPS" is there so that it does not make a firewall rule for port 443.  Instead you can create your own LAN->WAN rule for Service HTTPS (443) that allows all traffic directly through the firewall without being proxied.

Children
No Data