Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 21975 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I set up web access via PROXY PORT only?

Someone7272

After a year, I've decided to try Sophos XG again. Currently using UTM 9.5 - which has its issues, but works well.

I am trying to find out how to force all web requests through the proxy port.
Sadly, I'm not getting far with Sophos XG.

If I add a firewall rule allowing HTTP and HTTPS traffic, this works without having to go through the proxy port. This is not what I want, I want users to have to use the proxy on port 3128. From there, I can assign policies and rules, depending on which user group they are in. If they try and go through the firewall directly, I want their requests either blocked or (best case) a message explaining that they are not authenticated so they may not browse the web.

User authentication will be done by active directory SSO and I intend to set the proxy via a WPAD file.
This was really easy to do with UTM 9.5, but I'm constantly hitting brick walls with Sophos XG.

Here's what I've done so far...

  • Joined XG firewall to domain. AD server appears in authentication > servers
  • Imported desired AD groups into the XG firewall. These groups appear in authentication > groups
  • Set NTLM authentication enabled on the LAN zone
  • Configured my AD server as highest priority in firewall authentication methods
  • Added a firewall rule allowing HTTP and HTTPS to a certain group
  • Added a firewall rule (BOTTOM) denying all access without user identity

Have I missed anything? Can anybody help?

Thanks



This thread was automatically locked due to age.
  • +1

    Found out how to do it, with some experimenting.

    Start with no firewall rules at all, then create a LAN zone to ANY rule with the proxy service, which should be port 3128 (or whatever you've set it to, this service needs to be manually created) and then choose the filtering you want.

    Do not add the HTTP or HTTPS services, as the proxy will handle HTTP, HTTPS, FTP and any other services you've allowed.
    If you do add the HTTP and HTTPS services, then proxy will also function as both a transparent proxy and a standard proxy.

    From there, you can choose what users you want to authenticate and assign policies to, suprisingly AD SSO NTLM/Kerberos is working as expected.
    I will continue testing XG Firewall to see if it's a viable UTM replacement.

  • 0 in reply to Someone7272

    Hi Someone7272,

    Thanks for your suggestion, this works for me.

     

    But I also found something wrong in the rule.

    For example, the web filter can't not take effect with the rule.

    And the RDP (tcp 3389) can't work with XG (as proxy).

    After I add the SSH (tcp 22) in the Allowed Destination Ports as following,

    I also can't connect the outside SSH server with XG proxy.

     

    So the proxy setting may not work in real environment.

    Any other suggestion about this?

    Thanks~

    Shunze

  • 0 in reply to ShunzeLee

    ShunzeLee said:

    Hi Someone7272,

    Thanks for your suggestion, this works for me.

    But I also found something wrong in the rule.
    For example, the web filter can't not take effect with the rule.
    And the RDP (tcp 3389) can't work with XG (as proxy).

    After I add the SSH (tcp 22) in the Allowed Destination Ports as following,
    I also can't connect the outside SSH server with XG proxy
    So the proxy setting may not work in real environment.

    Any other suggestion about this?

    Thanks~

    Shunze 

    Hi Shunze,

    Web filter policies are working for me with this proxy configuration. Did you remember to select 'Scan HTTP' and 'Decrypt and scan HTTPS' in the proxy's firewall rule?
    If not, then try rebooting the firewall.

    If I'm not mistaken, I don't believe that RDP and SSH* connections can be proxied. You'll need to create a rule to allow these directly through the firewall. The ports you can specify on the proxy destination ports list are NOT for protocol connections, but instead for HTTP/HTTPS/FTP connections running on non-standard destination ports.
    (* In some very specific cases, it may be possible to use an SSH connection via proxy. You'll need to configure your SSH client to use the proxy server, and ensure that the proxy server does allow for this).

    Hope this information was helpful.

  • 0 in reply to Someone7272

    Thank Someone7272, it's my fault.

    I forgot to enable the policy status on web filter.

    After enable the policy status, it works for me.

    Thanks~

Unfiltered HTML