Use Transparent Proxy or Non-Transparent Proxy?

Hi Dwayne,

as ManBearPig advised you need to setup a proxy.pac file that automatically loads or is loaded on the each machine when it tries to aces the interior at boot time.

I tried hardcoding the proxy details into IE and FF, but that failed when the laptops left home.

Also, though not 100% sure about this but you would need a line or two in you proxy pac to cover each web browser your clients might use then put a drop firewall rule for orts 80, 8080 etc.

ian

Hi,

I'm not quite sure if it is the same with XG, but on UTM the transparent mode only covers two ports (if activated), http and https.

UTM = Transparent Mode also allows port 8080 communication to UTM (like standard mode).

One more thing, how to configure XG to use only non-transparent mode? I can't find it anywhere in the handbook.

If you use "Scan HTTP(s)" in XG, it will can be applied on 80/443/3128. If you only use 3128 as service in the rule, the client can only use the standard proxy.

This part my of UTM transparent proxy setup.

Ian

Just to clarify.  My understanding of a transparent proxy is that your local border firewall - let's says 192.168.1.1 - port forwards http (80), https (443), ftp (21/22) and sometime SOCKS traffic towards a dedicated WEBserver, lets say 192.168.1.2.  Like WEBSense, TitanHQ, Bluecoat, Spywall, or others.

Some answers here suggest firewalls scanning directly http (80), https (443), and ftp (21/22) traffic is a transparent proxy.  In others words, as long as there is no setup on users' WEB browsers, (PAC file, GPO, ET.c.) - dedicated WEB filtering appliance or not - it is considered transparent proxy.

That said. what I do not like with non-transparent proxy, is that the firewall reports all WEB traffic as being done by the WEB appliance admin user.  Forcing manager to navigate both firewalls and WEB appliance logs, trying to make sens out of it.  Colossal waste of time.  Also, non transparent is somewhat unreliable, and requires tons of setups.  Pac files, GPO, scripts, name it.

Take a look at the online help of the UTM. The services you define will only be covered in the standard mode.

In transparent mode it only intercepts port 80 connections and - if „Do not proxy HTTPS traffic in transparent mode“ is unchecked on the HTTPS tab -  port 443 connections, too.

Yes it allows the connection TO the UTM so if the browser is configured to use a proxy (a.k.a. ‚Standard Mode‘) the ‚allowed services‘ will still be used to proxy connections.

But if no configuration is made on the client side the ‚allowed services‘ are ignored and only 80/443 is proxied. All other connections will then be seen in the firewall log.

The proxy running in transparent mode can be used in both modes, standard (with client-side configuration) or transparent (without client-side configuration), if the mode is set to standard only the clients with configured proxy will use it. If a port 80/443 connection works without these connections are allowed in the firewall.

Thats the reason, why I‘m more comfortable with the UTM than the XG. The different functions are much more easier to control (in form of reading the LiveLog).

I don‘t like XG‘s concept of ‚one rule for everything‘ (Firewall, Webfilter, IPS,...) very much.

Hi,

while I prefer the UTM the XG has some advantages with the http/s proxy. The UTM has the advantage that it works with blocking ATP and countries where as the XG doesn't.

While you have said you don't like the one rule for everything, the truth is that is not 100% correct. You can setup IP and web filter on a user/group basis which you can't do with the UTM. You can setup rules where users are not configured to use the http proxy.

The it comes to debugging the UTM runs ruins around the XG, the logs have meaningful information.

Ian

manbearpig said:

There is a difference between standard and transparent proxy in the "DNS handling" of the clients.Standard proxy = your client can only resolve the internet in the HTTP connect phase via proxy port. Transparent proxy = your client tries to resolve the target server via DNS port 53.

Big_Buck said:

for example, From: LAN, 192.168.1.0/24, HTTP, HTTPS, FTP --- to --- WAN, ANY, HTTP, HTTPS, FTP --- port forward to --- 192.168.1.2.

Where 192.168.1.2 is the arbitrary address of a WEB gateway.  And 192.168.1.0/24 being the internal network.  8 (eight) hours of Sophos professionnal service have proven unable to setup something as basic as that.  Easily done on $100 chinese firewalls.

It could be possible in command line maybe ...

"Take a look at the online help of the UTM. The services you define will only be covered in the standard mode.

In transparent mode it only intercepts port 80 connections and - if „Do not proxy HTTPS traffic in transparent mode“ is unchecked on the HTTPS tab -  port 443 connections, too."

You are correct.

Ian

The use of "conditional" in your sentence is judicious. Policy routing should work.  But it does not. I was trying to figure this out for months.  With Sophos support senior engineers in Boston.  If you noticed I have written Senior EngineerS.  Meaning many.  They had contradictory opinion on this.  So we set up things only to destoy it and try something else the week after.  The only benefit here was to show me options I would have never otherwise tested.  But again, that's because this XG firewall is in infancy and is growing weird.  Why can't we simply do port forwarding on that "god dam" device like we can do on $100 "Home Office" Chinese router ??? PFSense ? and all other firewalls I can imagine of ? I have never tested a firewall that cannot do it easily before.