This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use Transparent Proxy or Non-Transparent Proxy?

Dwayne Parker over 7 years ago

What do you recommend?

Using Transparent or Non-Transparent Proxy mode?

Thanks in advance:

Dwayne Parker

This thread was automatically locked due to age.

0 LuCar Toni over 7 years ago

Hi,

Depends on your network requirements and what clients are you using?

I´m using both because XG is offering both. PAC File with Standard proxy.

Mobile Devices with transparent.

Cheers

__________________________________________________________________________________________________________________
- 0 HuberChristian over 7 years ago in reply to LuCar Toni
  
  manbearpig said:
  
  Depends on your network requirements and what clients are you using?
  
  What's the advantage for using non-transparent Proxy nowadays?
  
  I am maintaining some Setups using the Non-Transparent Proxy. There we often deal with issues connected to web-traffic which is not initiated by the browser but by applications. The origin of those problems often comes from those applications not beeing able to authenticate via NTLM or because these Applications are not able to get a propper Explicit-Proxy-Setting configured.
  
  Users can get rid of this when using transparent proxies what is a huge advantage in my eyes!
  
  Please send me Spam gueselkuebel@sg-utm.also-solutions.ch
  - 0 lukg over 7 years ago in reply to HuberChristian
    
    With transparent proxy you can apply Firewall rules based on FQDN. With traditional proxy you can't.
0 Dwayne Parker over 7 years ago

Somewhere I read that through transparent Proxy it is possible that not all Content is scanned, and the LAN is better isolated from WAN when using non-transparent, is that correct?

Regards

_______________________________________________

Sophos XG User
- 0 LuCar Toni over 7 years ago in reply to Dwayne Parker
  
  There is a difference between standard and transparent proxy in the "DNS handling" of the clients.Standard proxy = your client can only resolve the internet in the HTTP connect phase via proxy port. Transparent proxy = your client tries to resolve the target server via DNS port 53.
  
  Some of the attacks are DNS based. If you are blocking DNS port 53 from the clients and only use 3128 for proxy, the client (hacker/software) is not able to do a lookup on DNS base. Most of the software nowadays is trying to resolve there C&C server via DNS port 53. If this is blocked, they give up.
  
  I know, quite insecure comment, but can give you a small "advantage" against the bot software.
  
  __________________________________________________________________________________________________________________
0 Big_Buck over 7 years ago

Technically, it is easy on other firewalls. BUT. Transparent proxy on XG is impossible. It just cannot be done. I assume you can do it with Sophos WEB gateway and a firewall from another supplier. Or maybe from Sophos' own UTM. But do not waste 6 months trying to figure out on XG. It is not gonna work. Just cannot do a rule of the type :

From this Zone, this LAN, these Services --- to --- this Zone, this LAN/WAN, these Services --- port forward to --- this IP Address, these Services.

Port forward optional, depending on the WEB Gateway.

for example, From: LAN, 192.168.1.0/24, HTTP, HTTPS, FTP --- to --- WAN, ANY, HTTP, HTTPS, FTP --- port forward to --- 192.168.1.2.

Where 192.168.1.2 is the arbitrary address of a WEB gateway. And 192.168.1.0/24 being the internal network. 8 (eight) hours of Sophos professionnal service have proven unable to setup something as basic as that. Easily done on $100 chinese firewalls.

It could be possible in command line maybe ...
- 0 rfcat_vk over 7 years ago in reply to Big_Buck
  
  Transparent proxy outgoing is easy and I think the is what the original post was about?
  
  XGS118 - v21.0.1 MR1
  
  XG115 converted to software licence v21.0.1 MR-1
  
  If a post solves your question please use the 'Verify Answer' button.
  - 0 kerobra_retired over 7 years ago in reply to rfcat_vk
    
    I'm not quite sure if it is the same with XG, but on UTM the transparent mode only covers two ports (if activated), http and https.
    Every connection to something like 8443, 8080 runs completely unproxied in transparent mode. Only in standard mode you can (and have to) define, which ports are protected.
    
    Gruß / Regards,
    
    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner
  - 0 Dwayne Parker over 7 years ago in reply to rfcat_vk
    
    Yes, you're right, thats what I meant.
    
    One more thing, how to configure XG to use only non-transparent mode? I can't find it anywhere in the handbook.
    
    Is XG configured to use both as standart?
    
    Regards
    
    _______________________________________________
    
    Sophos XG User
  - 0 rfcat_vk over 7 years ago in reply to kerobra_retired
    
    Hi,
    
    if you want the UTM to use more ports in transparent mode you add them the allowed ports.
    
    Ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 rfcat_vk over 7 years ago in reply to Dwayne Parker
    
    Hi Dwayne,
    
    as ManBearPig advised you need to setup a proxy.pac file that automatically loads or is loaded on the each machine when it tries to aces the interior at boot time.
    
    I tried hardcoding the proxy details into IE and FF, but that failed when the laptops left home.
    
    Also, though not 100% sure about this but you would need a line or two in you proxy pac to cover each web browser your clients might use then put a drop firewall rule for orts 80, 8080 etc.
    
    ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 LuCar Toni over 7 years ago in reply to kerobra_retired
    
    Hi,
    
    I'm not quite sure if it is the same with XG, but on UTM the transparent mode only covers two ports (if activated), http and https.
    
    UTM = Transparent Mode also allows port 8080 communication to UTM (like standard mode).
    
    One more thing, how to configure XG to use only non-transparent mode? I can't find it anywhere in the handbook.
    
    If you use "Scan HTTP(s)" in XG, it will can be applied on 80/443/3128. If you only use 3128 as service in the rule, the client can only use the standard proxy.
    
    __________________________________________________________________________________________________________________
  - 0 rfcat_vk over 7 years ago in reply to LuCar Toni
    
    This part my of UTM transparent proxy setup.
    
    Ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 kerobra_retired over 7 years ago in reply to rfcat_vk
    
    Take a look at the online help of the UTM. The services you define will only be covered in the standard mode.
    
    In transparent mode it only intercepts port 80 connections and - if „Do not proxy HTTPS traffic in transparent mode“ is unchecked on the HTTPS tab - port 443 connections, too.
    
    Gruß / Regards,
    
    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner
  - 0 kerobra_retired over 7 years ago in reply to LuCar Toni
    
    Yes it allows the connection TO the UTM so if the browser is configured to use a proxy (a.k.a. ‚Standard Mode‘) the ‚allowed services‘ will still be used to proxy connections.
    
    But if no configuration is made on the client side the ‚allowed services‘ are ignored and only 80/443 is proxied. All other connections will then be seen in the firewall log.
    
    The proxy running in transparent mode can be used in both modes, standard (with client-side configuration) or transparent (without client-side configuration), if the mode is set to standard only the clients with configured proxy will use it. If a port 80/443 connection works without these connections are allowed in the firewall.
    
    Thats the reason, why I‘m more comfortable with the UTM than the XG. The different functions are much more easier to control (in form of reading the LiveLog).
    
    I don‘t like XG‘s concept of ‚one rule for everything‘ (Firewall, Webfilter, IPS,...) very much.
    
    Gruß / Regards,
    
    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner
  - 0 rfcat_vk over 7 years ago in reply to kerobra_retired
    
    Hi,
    
    while I prefer the UTM the XG has some advantages with the http/s proxy. The UTM has the advantage that it works with blocking ATP and countries where as the XG doesn't.
    
    While you have said you don't like the one rule for everything, the truth is that is not 100% correct. You can setup IP and web filter on a user/group basis which you can't do with the UTM. You can setup rules where users are not configured to use the http proxy.
    
    The it comes to debugging the UTM runs ruins around the XG, the logs have meaningful information.
    
    Ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.
  - 0 rfcat_vk over 7 years ago in reply to kerobra_retired
    
    "Take a look at the online help of the UTM. The services you define will only be covered in the standard mode.
    
    In transparent mode it only intercepts port 80 connections and - if „Do not proxy HTTPS traffic in transparent mode“ is unchecked on the HTTPS tab - port 443 connections, too."
    
    You are correct.
    
    Ian
    
    XGS118 - v21.0.1 MR1
    
    XG115 converted to software licence v21.0.1 MR-1
    
    If a post solves your question please use the 'Verify Answer' button.
0 Big_Buck over 7 years ago

Just to clarify. My understanding of a transparent proxy is that your local border firewall - let's says 192.168.1.1 - port forwards http (80), https (443), ftp (21/22) and sometime SOCKS traffic towards a dedicated WEBserver, lets say 192.168.1.2. Like WEBSense, TitanHQ, Bluecoat, Spywall, or others.

Some answers here suggest firewalls scanning directly http (80), https (443), and ftp (21/22) traffic is a transparent proxy. In others words, as long as there is no setup on users' WEB browsers, (PAC file, GPO, ET.c.) - dedicated WEB filtering appliance or not - it is considered transparent proxy.

That said. what I do not like with non-transparent proxy, is that the firewall reports all WEB traffic as being done by the WEB appliance admin user. Forcing manager to navigate both firewalls and WEB appliance logs, trying to make sens out of it. Colossal waste of time. Also, non transparent is somewhat unreliable, and requires tons of setups. Pac files, GPO, scripts, name it.
0 HuberChristian over 7 years ago

manbearpig said:

There is a difference between standard and transparent proxy in the "DNS handling" of the clients.Standard proxy = your client can only resolve the internet in the HTTP connect phase via proxy port. Transparent proxy = your client tries to resolve the target server via DNS port 53.

Some of those Scenarios you describe can be solved also in transparent Proxy. There is a Flag called Pharming Protection to be found in Protect > Web > General Settings > Protection > Advanced Settings > Enable Pharming Protection.

Big_Buck said:

for example, From: LAN, 192.168.1.0/24, HTTP, HTTPS, FTP --- to --- WAN, ANY, HTTP, HTTPS, FTP --- port forward to --- 192.168.1.2.

Where 192.168.1.2 is the arbitrary address of a WEB gateway. And 192.168.1.0/24 being the internal network. 8 (eight) hours of Sophos professionnal service have proven unable to setup something as basic as that. Easily done on $100 chinese firewalls.

It could be possible in command line maybe ...

Shouldn't this scenario be possible to solve with Policy Routing? The only limitation would be, that the Proxy-IP must be somewhere out of the 192.168.1.0/24 Range.

Please send me Spam gueselkuebel@sg-utm.also-solutions.ch
- 0 Big_Buck over 7 years ago in reply to HuberChristian
  
  The use of "conditional" in your sentence is judicious. Policy routing should work. But it does not. I was trying to figure this out for months. With Sophos support senior engineers in Boston. If you noticed I have written Senior EngineerS. Meaning many. They had contradictory opinion on this. So we set up things only to destoy it and try something else the week after. The only benefit here was to show me options I would have never otherwise tested. But again, that's because this XG firewall is in infancy and is growing weird. Why can't we simply do port forwarding on that "god dam" device like we can do on $100 "Home Office" Chinese router ??? PFSense ? and all other firewalls I can imagine of ? I have never tested a firewall that cannot do it easily before.
- 0 kerobra_retired over 7 years ago in reply to HuberChristian
  
  I don‘t understand the setup completely. 192.168.1.1 is the XG‘s LAN side and 192.168.1.2 is an alias of the XG on the same interface where all traffic should be routed to to act as what?
  
  Gruß / Regards,
  
  Kevin
  Sophos CE/CA (XG+UTM), Gold Partner
  - 0 Big_Buck over 7 years ago in reply to kerobra_retired
    
    ok. 192.168.1.2 is actually a dedicated and separate appliance. Could be virtual. Could be hardware. But the sole purpose of that appliance is to decrypt https, and scan http, https, ftp, socks traffic. It is not the firewall, which, in my example is 192.168.1.1
    
    Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting". In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.
    
    In transparent proxy, your firewall takes care of this and redirect http, https, ftp, socks traffic towards that appliance in such a way no setup is required on desktops.
    
    In UTM it should be scan at the firewall level. One might consider this as transparent proxy as well. But I have yet to see a single firewall vendor achieving it it properly.
    
    Paul Jr
  - 0 kerobra_retired over 7 years ago in reply to Big_Buck
    
    Big_Buck said:
    Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting". In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.
    
    You could distribute a central proxy.pac- or wpad.dat-Link via DHCP or DNS to achieve that.
    
    Gruß / Regards,
    
    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner
  - 0 Big_Buck over 7 years ago in reply to kerobra_retired
    
    Yes. Been there. Done that. But no one wants to maintain a java enabled server just for that archaic purpose that's very creative at failing. Particularly on environments with many internal subnets, and one or more corporate VPN. WEB browsers get confused on the real gateway, and exception in the "Internet Configuration" often fails. And that requires unproductive baby-sitting.