This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

internal Proxy Usage from other (DMZ) Networks

Hello community,

I have a problem understanding  the usage of the internal UTM (9.4) proxy from other UTM Networks.

My setup:

  • Internal LAN (192.x)
  • DMZ Server (172.16.1.x)
  • DMZ WLAN (172.16.2.x)

 The Web Protection is enabled:

  •  allowed Networks: internal only
  • Standard mode
  • AD SSO Authentification
  • block accees with no athentification enabeld

 All other Networks are in tranparent mode with different guidelines

 I have no additonal Packet Filter rules in the two DMZ Networks, only DMZ ->allow-> DNS, everything is handled by the proxy

 I have no additional surfing (http/https) rules for the internal LAN (everything  is handled by the proxy)

 And here it comes:

 I worked on a Server in the DMZ Network and wondered if the Server can Access the internet without a DNS packet Filter rule….

 I attemped to connect to an internal WebServer and it works…

 I couldnt believe it and i checked the Server proxy settings and i saw that a colleague has setup the internal proxy settings (192.168.x.x Port 80xx) to the DMZ Server (172.16.x.x)

 This makes it possible to surf and connect to the internal Server….without any rule or other settings….(DNS, etc)

 

So how can i prevent the usage oft the standard internal Proxy (192.) from other Networks ? I thought the Web Protection allowed Networks is the key, but it isnt…

 

BG

 

mwie



This thread was automatically locked due to age.
Parents
  • UTM does not have security zones, so DMZ security gets complicated.   See the wiki for additional info.

    Short version:

    You need to add a rule in the DMZ filter action(s) to block internal I.P. addtesses and internal host names..

    Alsi add a firewall rule to block UDP 443 so that Chrome does not evade your web filter.

  • Also be aware that a Transparent Web Profile also acts as a Standard Web Profile (undocumented feature).    (Standard Profiles are Standard only, Transparent Profiles are really both.)  This is not necessarily desirable because there are differences in behavior related to DNS - Transparent Web resolves DNS at the client, while Standard Web resolves DNS at the UTM.

    Your DMZ devices probably use the internet for DNS (such as Google's 8.8.8.8 or Quad9's 9.9.9.9), which will never resolve to an internal address.   Your UTM might resolve some DNS to internal addresses that you will be blocking. 

    I recommend creating a Standard Web Profile for the DMZ address range, which blocks everything, with a priority just higher than the DMZ Transparent Web profile.   This ensures that if someone is trying to play games with you by enabling Standard Web, they will not be successful, and you will not have to worry about the complexity of this additional access path.

  • Hi Douglas,

     

    thank you for your answer, i will configure it and post a result.

     

    BG

     

    mwie

  • you also need a firewall rule to restrict non-web access from DMZ to Internal.

  • Hallo mwie and welcome to the UTM Community.

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • ok, i have done the following and it seems to work:

     

    - add the DMZ server and DMZ WLAN to: web protection -> filter Options -> misc -> transparent mode skip list

    - create standard web proxy profiles for both DMZ with no surf rights above the transparent profile

    - include my other Networks / Hosts in the web profile -> websites blocked   

    - network protection packet filter rule: deny DMZ Server / DMZ WLAN to all other networsk and vice versa

     

    it works for me.

     

    BG

     

    mwie

Reply
  • ok, i have done the following and it seems to work:

     

    - add the DMZ server and DMZ WLAN to: web protection -> filter Options -> misc -> transparent mode skip list

    - create standard web proxy profiles for both DMZ with no surf rights above the transparent profile

    - include my other Networks / Hosts in the web profile -> websites blocked   

    - network protection packet filter rule: deny DMZ Server / DMZ WLAN to all other networsk and vice versa

     

    it works for me.

     

    BG

     

    mwie

Children
No Data