Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to implement standard proxy

Hi there,

is there any possibility to define the web proxy as a standard proxy and not allowing traffic through transparent intercepting for http?

I know you can set the browser to the configured web proxy port, but I miss somewhere a checkmark in the policy rules to allow only traffic through the standard web proxy. 

Kind regards

Achim



This thread was automatically locked due to age.
Parents
  • From memory you need to setup a proxy pac file so that the users are forced to use the standard proxy which is on a different port to the transparent proxy. Not sure how you distribute the pac file because the DHCP server on the SF-OS is very neutered. You would need a more sophisticated DHCP server that can handle option.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Ian,
    that would be a solution for distributing centrally exceptions, and automatically inserting the proxy in the browser, but the limitiaion is that other programs who are not aware of pac files would go through the transparent proxy, which is under some circumstances not allowed/wanted. I think of viruses, trojans or other programs which are per policy not allowed to talk with the internet, and so on. #
    Ok it would be possible to set an application rule, which only allows the default apps, but what about the others, which are not in the database?

    Kind regards

    Achim
Reply
  • Hi Ian,
    that would be a solution for distributing centrally exceptions, and automatically inserting the proxy in the browser, but the limitiaion is that other programs who are not aware of pac files would go through the transparent proxy, which is under some circumstances not allowed/wanted. I think of viruses, trojans or other programs which are per policy not allowed to talk with the internet, and so on. #
    Ok it would be possible to set an application rule, which only allows the default apps, but what about the others, which are not in the database?

    Kind regards

    Achim
Children
  • Hi Achim,
    the transparent proxy will also catch the same bug as the full proxy, but I expect your exception list for each will be different going on the UTM. The other alternative is only allow traffic through the proxy by blocking all other traffic with a disallow policy, but what happens to traffic that is not proxied, like ftp, voip, netflix, etc? You shouldn't be just relying on the proxy, SF-OS has number of other tools that work to improve the overall security.
    You will have to enable ATP in general, plus IDS/IPS and of course anti-virus (dual) which should cover all the bugs and nasties, well lots...
    A bit of a ramble, but a number of ideas.
    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.