This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

transparent mode and full transparent mode at the same time needed and possible?

We have an existing firewall in transparent mode and need to change the proxy for the client ips to full transparent mode. We also have an exchange server which also is protected by sophos.

We use web filtering for the clients and mail protection for the exchange.

Now my question:

- when I switch to full transparent mode, is the exchange server still protected?

- if not: can you add 2 more NICs for a separate full transparent mode only for the client ips?

- can this new bridge have an IP in the existing network or has it to be different?

Thank you



This thread was automatically locked due to age.
Parents
  • There are very few situations where Full Transparent is useful or appropriate.   It changes which internal source IP is used for the return address.   In most cases, all of your internal addresses are NATtted to a public IP, so the setting is irrelevant.   If you think you have a situation where it matters, please elaborate on the desired end-result.

    To answer your question:   To use transparent web proxy with some clients and full transparent with other clients, you will need two filter profiles.  The filter profile selected based on source IP, so you may need to configure static IP addresses on some clients to ensure that they hit the desired filter profile.

    Different traffic is handled by different proxy functions, generally based on source IP and destination port (for transparent functions) or source IP and destination IP+port for non-transparent functions.   Transparent web proxy handles outbound traffic on ports 80 and 443.   Exchange mail transfer is a non-transparent function handled by the SMTP proxy using ports 25, 465, and 587 (but you should create a DNAT-to-Null rule to block 465 and 587.)   Webmail from the internet should be handled by a WAF site that intercepts incoming port 443 on a designated public IP.   So a change to your transparent web proxy has no effect on other functions.

     

Reply
  • There are very few situations where Full Transparent is useful or appropriate.   It changes which internal source IP is used for the return address.   In most cases, all of your internal addresses are NATtted to a public IP, so the setting is irrelevant.   If you think you have a situation where it matters, please elaborate on the desired end-result.

    To answer your question:   To use transparent web proxy with some clients and full transparent with other clients, you will need two filter profiles.  The filter profile selected based on source IP, so you may need to configure static IP addresses on some clients to ensure that they hit the desired filter profile.

    Different traffic is handled by different proxy functions, generally based on source IP and destination port (for transparent functions) or source IP and destination IP+port for non-transparent functions.   Transparent web proxy handles outbound traffic on ports 80 and 443.   Exchange mail transfer is a non-transparent function handled by the SMTP proxy using ports 25, 465, and 587 (but you should create a DNAT-to-Null rule to block 465 and 587.)   Webmail from the internet should be handled by a WAF site that intercepts incoming port 443 on a designated public IP.   So a change to your transparent web proxy has no effect on other functions.

     

Children
No Data