This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Configure Standard Proxy Mode on AWS Sophos Outbound Web Proxy

I just finished installing and configuring UTM using the Sophos Outbound Web Proxy AWS quickstart.    I am able to login to the testing instance and use the transparent proxy successfully (e.g. blocked sites block, whitelisted sites go through.)   However, for my POC I would like to configure a standard proxy instead of the transparent proxy.  I can not seem to find any documentation on how to configure this, other than changing the Operation mode on the Web Filtering from "Transparent" to "Standard"...

Once changing that setting, the proxy should be available on port 8080, right?   What is the endpoint that I point clients to?  Should I point them at the OGW1? Should I point them at the UTM Workers?  Do I create an ELB listening on 8080 and redirect that somewhere?   I am happy to follow a guide or documentation, but I have been searching for hours and can't seem to find one.

Any help would be appreciated.



This thread was automatically locked due to age.
Parents
  • Hi and welcome to the UTM Community!

    I interpret "Outbound Web Proxy" as referring to 'Web Filtering' - correct?  Where are the clients - in a VPC?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, I am referring to web filtering, the idea is to use this as an outbound proxy for many separate (but networked) VPCs across separate AWS accounts.  The other accounts are peered with the Sophos VPC, and have no outbound internet access otherwise.

    I was able to figure out that the UTM Workers were listening on 8080, but the security group created by the setup script didn't open that port.  I manually configured the security group and then pointed a remote VM to use the proxy (e.g.  $ export HTTPS_PROXY=http://10.15.x.x:8080) This worked and I was able to progress my testing.  

    My question then becomes: What are the best practices for this use case? Is there documentation on how to configure this, because I just had to figure it out myself. If no docs then these questions:

    1) Since the Workers are autoscaling, should I configure an Application Load Balancer in front of the workers, and forward traffic to Workers, or is there a better way to configure HA?

    2) Are the Outbound Gateways (OGW1 & OGW2) unnecessary in my configuration, and can I remove them?

    3) I manually overrode the security group config to open port 8080, but the appliance has a setting that periodically overrides the manual setting. I can turn off the Security Group management, but that seems to be insecure, is there a way to configure the appliance to create the correct SG setup on it's own?

Reply
  • Yes, I am referring to web filtering, the idea is to use this as an outbound proxy for many separate (but networked) VPCs across separate AWS accounts.  The other accounts are peered with the Sophos VPC, and have no outbound internet access otherwise.

    I was able to figure out that the UTM Workers were listening on 8080, but the security group created by the setup script didn't open that port.  I manually configured the security group and then pointed a remote VM to use the proxy (e.g.  $ export HTTPS_PROXY=http://10.15.x.x:8080) This worked and I was able to progress my testing.  

    My question then becomes: What are the best practices for this use case? Is there documentation on how to configure this, because I just had to figure it out myself. If no docs then these questions:

    1) Since the Workers are autoscaling, should I configure an Application Load Balancer in front of the workers, and forward traffic to Workers, or is there a better way to configure HA?

    2) Are the Outbound Gateways (OGW1 & OGW2) unnecessary in my configuration, and can I remove them?

    3) I manually overrode the security group config to open port 8080, but the appliance has a setting that periodically overrides the manual setting. I can turn off the Security Group management, but that seems to be insecure, is there a way to configure the appliance to create the correct SG setup on it's own?

Children
  • I haven't seen such a document mentioned, but you might try a Google on site:community.Sophos.com/kb UTM AWS

    1) Seems reasonable, but I haven't done it.

    2) I'm not sure what question you're asking.

    3) In AWS, I prefer to use a wide-open Security Group and do all Allowing/Blocking in the UTM instance itself.

    Cheers - Bob
    PS One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to their question without starting a new thread that's already been answered.  Also, I'll move this thread to the UTM on AWS forum as it seem like this is more about that than UTM Web Filtering.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

    It depends on how you will like to use the web proxy. You could use the web proxy in transparent mode (client proxy configuration not needed) or standard mode (client proxy configuration needed). For transparent mode, the main thing needed is to import the UTM's certificate as a trusted certificate on the client and the UTM will perform transparent filtering without the client's knowledge. Here's a quick start guide that covers using the OGW in a transparent mode scenario - https://aws.amazon.com/quickstart/architecture/sophos-outbound-web-proxy/ 

    For the standard mode, it is best to use the IP of the controller when you configure your clients as the controller is more static while the workers are transient (they could cease to exist at anytime depending on the load). In this case, you will need to open the proxy port (default 8080) as you did. The downside is that the controller is a single appliance and you don't have auto-scaling but it all depends on your architecture and what you want in your environment.

    Thanks.