Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 1996 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 19.5 Direct Proxy - user having proxy enabled can not access Internet

Chi Hing Chi Hing

   I recently deployed a Sophos XG with version 19, i want this Sophos to act as direct proxy and behind the internet gateway, below are the interface i configured in

the FW, user computer are in subnet 192.168.111.0/24, user computer will be configure proxy 192.168.111.242 with port 8080, and in the LAN there is a linux hosted a

pac file with IP address is 172.16.16.17 for HTTP Proxy used on IOS devices, the IOS devices will be using HTTP proxy URL "">192.168.111.242/proxy.pac" and

after i created below DNAT, and tested with proxy enabled computer with accessing google site,  however in log viewer i never see logs coming from the computer

that has proxy enabled, i only seeing the traffic logs from 172.16.16.17 from portA to port B to access external (see bottom screenshot highlighted in red), but its work

for 192.168.111.242 DNAT to 172.16.16.17 with HTTP (see bottom screenshot highlighted in blue), please help to check any configuration error in below ? any help

would be appreicated 

Port A: 172.16.16.16 (LAN) 

Port B: 192.168.111.242 (WAN) 

static routes: 

172.16.0.0 / 255.255.0.0   - interface B 

192.168.0.0 / 255.255.0.0 - interface B 

Firewall rules: 

DNAT from port B to port A with port 8080 

another DNAT to allow HTTP & HTTPS - since iphone need to redirect from linux that hosted the pac file 172.16.16.17 will be translated to "192.168.111.242/proxy.pac" 

Firewall Rule

NAT rules

Log viewer: 



This thread was automatically locked due to age.
  • 0

    Hello Chi, 

    Thanks for reaching out to Sophos Community and hope you are well. 

    To clarify, your configuration of using Sophos Firewall as standard proxy works and what you want is to see logs coming of fronm the users? as you can only see logs coming from 172.16.16.17? 

    -Also, would you be kind to share at least a high level diagram of the traffic flow you have? and to my understanding 172.16.16.17 is a linux server hosting the pac file the mobile users fetch or there are also other functions for this server?

    Kindly let us know of the details. Thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    please find below high level diagram, i was using a client computer 192.168.111.3 with proxy confgured in browser and try accessing to google but not accessable, and checked in log viewer, only see log from source 172.16.16.17 only, and to confirm 172.16.16.17 only acting the pac file for mobile user only, there is no other function running on it, just to confirm how the client computer can access internet via the proxy setting, is there any misconfiguration on the routing ? thanks a lots for your help on this 

  • 0 in reply to Chi Hing Chi Hing

    Proxy does not process ntp unless you have added that port to the proxy list. Why are you trying to put to through the proxy, it is not a web protocol.

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Chi Hing Chi Hing

    Hello Chi, 

    Thanks for providing this. Does your PortA: 172.16.16.16 and PortB 192.168.111.242 on the same Zone which is LAN? If yes, the setup would not have a default gateway in it, one of it should be WAN to have a default gateway - 192.168.111.1

    and is there any use case why the linux server and PortA is in operation? and not be configured on the 192.168.111.0/24 network? so to simplify your setup and traffic flow. 

    Also was this a previosly working config before or newly added setup? If this is a new setup I may recommend you to also consult your local sophos partner/SE for guidance and assistance with regards to your use case. 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0

    Hello,

    This is your fourth post related to this, we have mentioned to you not to duplicate posts and told you in other channels, you need to reach out to your Sales Engineer or Professional Services for assistance with this.

    I am now moderating your account.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML