We'd love to hear about it! Click here to go to the product suggestion community
I currently want to use AD SSO in Standard mode, so will be deploying the Proxy Server settings for Internet Options via Group Policy (Active Directory). I think Chrome also honours the internet options Proxy setting too.
What I want to ensure is that if, there happens to be a client that does not have this set then it is blocked.
Currently, if I test a client that does not have the proxy set, then it seems to just allow access out to the internet without filtering/blocking.
In theory, the plan is to only allow out any clients that have the Proxy set.
Any ideas/advice please?
1) Turn on Transparent Mode Web Filter with no authentication and collect data.
You will be surprised at how much non-browser traffic occurs on your network. Automatic Updates from Microsoft, Adobe, Java, Antivirus. Remote access applications like GoToMyPc. There will probably be some non-Domain PCs in your organization that need network access. There will be some fat-client applications that use https for communications. Few if any of these applications will notice your proxy settings, and even fewer will be able to pass AD SSO credentials. You may also have occasion to log into a PC with a local account, which cannot pass AD SSO, but may still need network access.
Transparent and Standard modes can (and should) be used together. Put the Standard Mode Filter Profiles higher in the list so that they are evaluated first, because a Transparent Mode Filter Profile is actually a "both" profile.
2) How to use Transparent Mode
I use Transparent Mode with Authentication=None because I want all of those non-browser programs to work as expected without thousands of user complaints and special intervention.
I apply it to pretty much my entire network.
I configure Transparent mode with a Filter Action that allows the categories that are likely to be safe and likely to be necessary, with reputation Neutral or higher.
3) Proxy Bypass
Proxy bypass for Standard Mode is assumed to be done with the Proxy Script, based on regex of the URL. Proxy Bypass for Transparent Mode is assumed to be based on a server skip list (based on IP), which is unknowable. Instead, create an exception that disables all proxy functions. This has worked well for me and the one exception applies to both Proxy Modes. I actually assign tags to Website objects, then apply the tag to the Bypass-All Exception object. This eliminates nearly all use of Regex, which avoids many errors and is simpler to maintain.
You SHOULD have a proxy script that bypasses all internal websites, whether referenced by DNS name or ip address. Do not make UTM the bottleneck to your internal operations.
4) QUIC Protocol
You MUST block UDP 443 in your firewall, or Chrome will bypass your proxy whenever a server supports their QUIC protocol. Optionally, you can add it to the Allowed Target Servers list so that Standard Mode connections allow it to work. It is supposed to be faster. Sophos has never said publicly whether their proxy handles it well, but users on this forum seem to have had success with it enabled.
5) Uncategorized sites
I block uncategorized sites. This creates some support calls, but I have determined that it is worth the inconvenience.
Get an account with them (Free) and use it to check and submit site categorization requests. They will get you a result and a response email in 24 hours and it will flow to UTM eventually (5 days). The Sophos submit form triggers the same process but provides no feedback. I have been told that the database reference to use on lookups is "McAfee SmartFilter 4.2 XL-1"