Use Transparent Proxy or Non-Transparent Proxy?

What do you recommend?

Using Transparent or Non-Transparent Proxy mode?

 

Thanks in advance:

 

 

Dwayne Parker

  • In reply to ManBearPig:

    Yes it allows the connection TO the UTM so if the browser is configured to use a proxy (a.k.a. ‚Standard Mode‘) the ‚allowed services‘ will still be used to proxy connections.

    But if no configuration is made on the client side the ‚allowed services‘ are ignored and only 80/443 is proxied. All other connections will then be seen in the firewall log.

    The proxy running in transparent mode can be used in both modes, standard (with client-side configuration) or transparent (without client-side configuration), if the mode is set to standard only the clients with configured proxy will use it. If a port 80/443 connection works without these connections are allowed in the firewall.

    Thats the reason, why I‘m more comfortable with the UTM than the XG. The different functions are much more easier to control (in form of reading the LiveLog).

    I don‘t like XG‘s concept of ‚one rule for everything‘ (Firewall, Webfilter, IPS,...) very much.

  • In reply to kerobra:

    Hi,

    while I prefer the UTM the XG has some advantages with the http/s proxy. The UTM has the advantage that it works with blocking ATP and countries where as the XG doesn't.

    While you have said you don't like the one rule for everything, the truth is that is not 100% correct. You can setup IP and web filter on a user/group basis which you can't do with the UTM. You can setup rules where users are not configured to use the http proxy.

    The it comes to debugging the UTM runs ruins around the XG, the logs have meaningful information.

    Ian

  • ManBearPig


    There is a difference between standard and transparent proxy in the "DNS handling" of the clients.Standard proxy = your client can only resolve the internet in the HTTP connect phase via proxy port. Transparent proxy = your client tries to resolve the target server via DNS port 53.


    Some of those Scenarios you describe can be solved also in transparent Proxy. There is a Flag called Pharming Protection to be found in Protect > Web > General Settings > Protection > Advanced Settings > Enable Pharming Protection.

    Big_Buck


    for example, From: LAN, 192.168.1.0/24, HTTP, HTTPS, FTP --- to --- WAN, ANY, HTTP, HTTPS, FTP --- port forward to --- 192.168.1.2.

    Where 192.168.1.2 is the arbitrary address of a WEB gateway.  And 192.168.1.0/24 being the internal network.  8 (eight) hours of Sophos professionnal service have proven unable to setup something as basic as that.  Easily done on $100 chinese firewalls.

    It could be possible in command line maybe ...



    Shouldn't this scenario be possible to solve with Policy Routing? The only limitation would be, that the Proxy-IP must be somewhere out of the 192.168.1.0/24 Range.



  • In reply to kerobra:

    "Take a look at the online help of the UTM. The services you define will only be covered in the standard mode.

    In transparent mode it only intercepts port 80 connections and - if „Do not proxy HTTPS traffic in transparent mode“ is unchecked on the HTTPS tab -  port 443 connections, too."

    You are correct.

    Ian

  • In reply to HuberChristian:

    The use of "conditional" in your sentence is judicious. Policy routing should work.  But it does not. I was trying to figure this out for months.  With Sophos support senior engineers in Boston.  If you noticed I have written Senior EngineerS.  Meaning many.  They had contradictory opinion on this.  So we set up things only to destoy it and try something else the week after.  The only benefit here was to show me options I would have never otherwise tested.  But again, that's because this XG firewall is in infancy and is growing weird.  Why can't we simply do port forwarding on that "god dam" device like we can do on $100 "Home Office" Chinese router ??? PFSense ? and all other firewalls I can imagine of ? I have never tested a firewall that cannot do it easily before.

  • In reply to HuberChristian:

    I don‘t understand the setup completely. 192.168.1.1 is the XG‘s LAN side and 192.168.1.2 is an alias of the XG on the same interface where all traffic should be routed to to act as what?

  • In reply to kerobra:

    ok.  192.168.1.2 is actually a dedicated and separate appliance.  Could be virtual.  Could be hardware.  But the sole purpose of that appliance is to decrypt https, and scan http, https, ftp, socks traffic.  It is not the firewall, which, in my example is 192.168.1.1

    Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting".  In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.

    In transparent proxy, your firewall takes care of this and redirect http, https, ftp, socks traffic towards that appliance in such a way no setup is required on desktops.

    In UTM it should be scan at the firewall level.  One might consider this as transparent proxy as well.  But I have yet to see a single firewall vendor achieving it it properly.

    Paul Jr

  • In reply to Big_Buck:

    Big_Buck
    Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting".  In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.

    You could distribute a central proxy.pac- or wpad.dat-Link via DHCP or DNS to achieve that.