Use Transparent Proxy or Non-Transparent Proxy?

Technically, it is easy on other firewalls. BUT.  Transparent proxy on XG is impossible.  It just cannot be done.   I assume you can do it with Sophos WEB gateway and a firewall from another supplier.  Or maybe from Sophos' own UTM.  But do not waste 6 months trying to figure out on XG.  It is not gonna work.  Just cannot do a rule of the type :

From this Zone, this LAN, these Services --- to --- this Zone, this LAN/WAN, these Services --- port forward to --- this IP Address, these Services.

Port forward optional, depending on the WEB Gateway. 

for example, From: LAN, 192.168.1.0/24, HTTP, HTTPS, FTP --- to --- WAN, ANY, HTTP, HTTPS, FTP --- port forward to --- 192.168.1.2.

Where 192.168.1.2 is the arbitrary address of a WEB gateway.  And 192.168.1.0/24 being the internal network.  8 (eight) hours of Sophos professionnal service have proven unable to setup something as basic as that.  Easily done on $100 chinese firewalls.

It could be possible in command line maybe ...

Transparent proxy outgoing is easy and I think the is what the original post was about?

Transparent proxy outgoing is easy and I think the is what the original post was about?

I'm not quite sure if it is the same with XG, but on UTM the transparent mode only covers two ports (if activated), http and https.
Every connection to something like 8443, 8080 runs completely unproxied in transparent mode. Only in standard mode you can (and have to) define, which ports are protected.

Yes, you're right, thats what I meant.

One more thing, how to configure XG to use only non-transparent mode? I can't find it anywhere in the handbook.

Is XG configured to use both as standart?

Regards

Hi,

if you want the UTM to use more ports in transparent mode you add them the allowed ports.

Ian

Hi Dwayne,

as ManBearPig advised you need to setup a proxy.pac file that automatically loads or is loaded on the each machine when it tries to aces the interior at boot time.

I tried hardcoding the proxy details into IE and FF, but that failed when the laptops left home.

Also, though not 100% sure about this but you would need a line or two in you proxy pac to cover each web browser your clients might use then put a drop firewall rule for orts 80, 8080 etc.

ian

Hi,

I'm not quite sure if it is the same with XG, but on UTM the transparent mode only covers two ports (if activated), http and https.

UTM = Transparent Mode also allows port 8080 communication to UTM (like standard mode).

One more thing, how to configure XG to use only non-transparent mode? I can't find it anywhere in the handbook.

If you use "Scan HTTP(s)" in XG, it will can be applied on 80/443/3128. If you only use 3128 as service in the rule, the client can only use the standard proxy.

This part my of UTM transparent proxy setup.

Ian

Take a look at the online help of the UTM. The services you define will only be covered in the standard mode.

In transparent mode it only intercepts port 80 connections and - if „Do not proxy HTTPS traffic in transparent mode“ is unchecked on the HTTPS tab -  port 443 connections, too.

Yes it allows the connection TO the UTM so if the browser is configured to use a proxy (a.k.a. ‚Standard Mode‘) the ‚allowed services‘ will still be used to proxy connections.

But if no configuration is made on the client side the ‚allowed services‘ are ignored and only 80/443 is proxied. All other connections will then be seen in the firewall log.

The proxy running in transparent mode can be used in both modes, standard (with client-side configuration) or transparent (without client-side configuration), if the mode is set to standard only the clients with configured proxy will use it. If a port 80/443 connection works without these connections are allowed in the firewall.

Thats the reason, why I‘m more comfortable with the UTM than the XG. The different functions are much more easier to control (in form of reading the LiveLog).

I don‘t like XG‘s concept of ‚one rule for everything‘ (Firewall, Webfilter, IPS,...) very much.

Hi,

while I prefer the UTM the XG has some advantages with the http/s proxy. The UTM has the advantage that it works with blocking ATP and countries where as the XG doesn't.

While you have said you don't like the one rule for everything, the truth is that is not 100% correct. You can setup IP and web filter on a user/group basis which you can't do with the UTM. You can setup rules where users are not configured to use the http proxy.

The it comes to debugging the UTM runs ruins around the XG, the logs have meaningful information.

Ian

"Take a look at the online help of the UTM. The services you define will only be covered in the standard mode.

In transparent mode it only intercepts port 80 connections and - if „Do not proxy HTTPS traffic in transparent mode“ is unchecked on the HTTPS tab -  port 443 connections, too."

You are correct.

Ian