This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone using UTM in Bridged mode?

There are four possible configurations for UTM:

  1. UTM is the perimeter firewall, supporting all features
  2. UTM is immediately behind the perimeter firewall on a bridged connection, supporting all features
  3. UTM is immediately behind the perimeter firewall on a routed connection, supporting all features
  4. UTM is out-of-band (anywhere else on the intranet), supporting only Standard Proxy and Internal features

Bridged and Routed connections should be functionally identical.   However, inserting UTM into the network using a bridged connection should require no changes to the firewall or the internal router, while inserting UTM into an existing network using a routed connection will require addressing and routing changes on one of the adjacent devices.  So option 3 can be ignored.

I don't want to use UTM as my firewall, and option 4 doe snot support all features, so bridged mode has the most appeal.   On a UTM bridge, the system administrator must specify all of the ethertypes that are supposed to be passed, and I don't know how to determine which ones will be needed.  I did find an RFC with all of them listed, but it is a long list and UTM requites them to be entered one at a time.

My one brief attempt to use a bridged configuration failed miserably, mostly because I could not figure out how to debug problems, and I did not have the luxury of waiting while a support case percolated through Sophos.  The test was at least a year ago, so I don't remember many details, other than that Internet traffic was not flowing properly.   My unused bridge configuration is still preserved in UTM:

  • Ethertypes passed:  8887, 0806, 814c, 8035, 876b
  • Allow arp broadcasts: Yes
  • Allow IPV6:  No (not required)
  • Spanning tree:  Off
  • Aging timeout: 30 seconds (default)
  • Virtual MAC addresss:  default (lowest of member MAC addresses)

Has anyone made bridged mode work?   What settings did you use?   If you tried and failed, do you know why it failed for you?



This thread was automatically locked due to age.
Parents
  • Follow up:  

    I am preparing to try again with Bridged Mode, with UTM still behind another firewall.   With bridge mode enabled, UTM can implement transparent proxies, and the other firewall configuration does not need to change.   If a UTM upgrade creates disaster, I could take it out of the configuration and still have a working network.   The bridge is the only interface that needs to be active.

    The downside to this configuration, per KB# 121221 is that if Transparent AD SSO is used, it needs to hog ports 80 (and presumably 443) on the (only) interface, which disables any ability to use User Portal and SSL VPN on that IP address and port.   The KB article implies that it might even block WAF traffic on one of the interface's additional addresses, which surprises me.

    I am planning to use Transparent Web Proxy primarily to find traffic that is bypassing Standard Proxy.   Some of that traffic will be from servers, and I don't want to break existing functionality by triggering a login prompt.   So the Transparent Proxy will use Authentication None, because reconfiguring that other traffic to another port would be too disruptive to me and to my users.

  • In general, Doug, I change the User Portal to 2443 and SSL VPN to UDP 1443 to avoid any conflict with Web Filtering and WAF.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • And you usually change SSL VPN to UDP.   For the moment, I prefer the loss prevention of TCP over the performance benefit of UDP.

    What about the KB article's reference to conflicts between Transparent SSO and WAF?   I have never configured WAF on an interface's primary address.  Do you know whether Transparent SSO grabs ports 80 and 443 on all interface addresses, or only on the designated interface's primary address?

Reply
  • And you usually change SSL VPN to UDP.   For the moment, I prefer the loss prevention of TCP over the performance benefit of UDP.

    What about the KB article's reference to conflicts between Transparent SSO and WAF?   I have never configured WAF on an interface's primary address.  Do you know whether Transparent SSO grabs ports 80 and 443 on all interface addresses, or only on the designated interface's primary address?

Children
  • I've not seen it written anywhere, but I believe that OpenVPN already does loss prevention in the decryption process.  Google uses UDP 443 for HTTPS traffic between Chrome and its servers, and I have seen the same claim for those SSL conversations.

    Maybe I've not understood that KB.  I guess I would consider it a bug if httpproxy in Transparent mode captured TCP 443/80 traffic aimed at an IP on an interface.  If the admin put a Virtual Server on "DMZ (Address)," for use by clients in "Internal (Network)," I would consider that a misconfiguration.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA