Use Transparent Proxy or Non-Transparent Proxy?

Hi,

Depends on your network requirements and what clients are you using? 

I´m using both because XG is offering both. PAC File with Standard proxy. 

Mobile Devices with transparent. 

Cheers

manbearpig said:

Depends on your network requirements and what clients are you using? 

What's the advantage for using non-transparent Proxy nowadays?

I am maintaining some Setups using the Non-Transparent Proxy. There we often deal with issues connected to web-traffic which is not initiated by the browser but by applications. The origin of those problems often comes from those applications not beeing able to authenticate via NTLM or because these Applications are not able to get a propper Explicit-Proxy-Setting configured.

Users can get rid of this when using transparent proxies what is a huge advantage in my eyes!

With transparent proxy you can apply Firewall rules based on FQDN. With traditional proxy you can't.

Somewhere I read that through transparent Proxy it is possible that not all Content is scanned, and the LAN is better isolated from WAN when using non-transparent, is that correct?

Regards

There is a difference between standard and transparent proxy in the "DNS handling" of the clients.Standard proxy = your client can only resolve the internet in the HTTP connect phase via proxy port. Transparent proxy = your client tries to resolve the target server via DNS port 53.

Some of the attacks are DNS based. If you are blocking DNS port 53 from the clients and only use 3128 for proxy, the client (hacker/software) is not able to do a lookup on DNS base. Most of the software nowadays is trying to resolve there C&C server via DNS port 53. If this is blocked, they give up.

I know, quite insecure comment, but can give you a small "advantage" against the bot software.

Technically, it is easy on other firewalls. BUT.  Transparent proxy on XG is impossible.  It just cannot be done.   I assume you can do it with Sophos WEB gateway and a firewall from another supplier.  Or maybe from Sophos' own UTM.  But do not waste 6 months trying to figure out on XG.  It is not gonna work.  Just cannot do a rule of the type :

From this Zone, this LAN, these Services --- to --- this Zone, this LAN/WAN, these Services --- port forward to --- this IP Address, these Services.

Port forward optional, depending on the WEB Gateway. 

for example, From: LAN, 192.168.1.0/24, HTTP, HTTPS, FTP --- to --- WAN, ANY, HTTP, HTTPS, FTP --- port forward to --- 192.168.1.2.

Where 192.168.1.2 is the arbitrary address of a WEB gateway.  And 192.168.1.0/24 being the internal network.  8 (eight) hours of Sophos professionnal service have proven unable to setup something as basic as that.  Easily done on $100 chinese firewalls.

It could be possible in command line maybe ...

Transparent proxy outgoing is easy and I think the is what the original post was about?

I'm not quite sure if it is the same with XG, but on UTM the transparent mode only covers two ports (if activated), http and https.
Every connection to something like 8443, 8080 runs completely unproxied in transparent mode. Only in standard mode you can (and have to) define, which ports are protected.

Yes, you're right, thats what I meant.

One more thing, how to configure XG to use only non-transparent mode? I can't find it anywhere in the handbook.

Is XG configured to use both as standart?

Regards

Hi,

if you want the UTM to use more ports in transparent mode you add them the allowed ports.

Ian