Use Transparent Proxy or Non-Transparent Proxy?

manbearpig said:

There is a difference between standard and transparent proxy in the "DNS handling" of the clients.Standard proxy = your client can only resolve the internet in the HTTP connect phase via proxy port. Transparent proxy = your client tries to resolve the target server via DNS port 53.

Big_Buck said:

for example, From: LAN, 192.168.1.0/24, HTTP, HTTPS, FTP --- to --- WAN, ANY, HTTP, HTTPS, FTP --- port forward to --- 192.168.1.2.

Where 192.168.1.2 is the arbitrary address of a WEB gateway.  And 192.168.1.0/24 being the internal network.  8 (eight) hours of Sophos professionnal service have proven unable to setup something as basic as that.  Easily done on $100 chinese firewalls.

It could be possible in command line maybe ...

I don‘t understand the setup completely. 192.168.1.1 is the XG‘s LAN side and 192.168.1.2 is an alias of the XG on the same interface where all traffic should be routed to to act as what?

ok.  192.168.1.2 is actually a dedicated and separate appliance.  Could be virtual.  Could be hardware.  But the sole purpose of that appliance is to decrypt https, and scan http, https, ftp, socks traffic.  It is not the firewall, which, in my example is 192.168.1.1

Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting".  In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.

In transparent proxy, your firewall takes care of this and redirect http, https, ftp, socks traffic towards that appliance in such a way no setup is required on desktops.

In UTM it should be scan at the firewall level.  One might consider this as transparent proxy as well.  But I have yet to see a single firewall vendor achieving it it properly.

Paul Jr

Big_Buck said:

Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting".  In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.

You could distribute a central proxy.pac- or wpad.dat-Link via DHCP or DNS to achieve that.

Yes.  Been there.  Done that.  But no one wants to maintain a java enabled server just for that archaic purpose that's very creative at failing.  Particularly on environments with many internal subnets, and one or more corporate VPN.  WEB browsers get confused on the real gateway, and exception in the "Internet Configuration" often fails.  And that requires unproductive baby-sitting.

Yes.  Been there.  Done that.  But no one wants to maintain a java enabled server just for that archaic purpose that's very creative at failing.  Particularly on environments with many internal subnets, and one or more corporate VPN.  WEB browsers get confused on the real gateway, and exception in the "Internet Configuration" often fails.  And that requires unproductive baby-sitting.