Use Transparent Proxy or Non-Transparent Proxy?

I don‘t understand the setup completely. 192.168.1.1 is the XG‘s LAN side and 192.168.1.2 is an alias of the XG on the same interface where all traffic should be routed to to act as what?

ok.  192.168.1.2 is actually a dedicated and separate appliance.  Could be virtual.  Could be hardware.  But the sole purpose of that appliance is to decrypt https, and scan http, https, ftp, socks traffic.  It is not the firewall, which, in my example is 192.168.1.1

Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting".  In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.

In transparent proxy, your firewall takes care of this and redirect http, https, ftp, socks traffic towards that appliance in such a way no setup is required on desktops.

In UTM it should be scan at the firewall level.  One might consider this as transparent proxy as well.  But I have yet to see a single firewall vendor achieving it it properly.

Paul Jr

Big_Buck said:

Typically, to make this work in non transparent proxy mode, you have to setup GPO in active directory, or in Window control panel's "Internet Option, Connection, Lan Setting".  In other words, you have to tell your computer that the way out of your network for those traffics is not the firewall, but the web proxy instead.

You could distribute a central proxy.pac- or wpad.dat-Link via DHCP or DNS to achieve that.

Yes.  Been there.  Done that.  But no one wants to maintain a java enabled server just for that archaic purpose that's very creative at failing.  Particularly on environments with many internal subnets, and one or more corporate VPN.  WEB browsers get confused on the real gateway, and exception in the "Internet Configuration" often fails.  And that requires unproductive baby-sitting.