internal Proxy Usage from other (DMZ) Networks

Question

Hello community, 
 I have a problem understanding the usage of the internal UTM (9.4) proxy from other UTM Networks. 
 My setup: 
 
 Internal LAN (192.x) 
 DMZ Server (172.16.1.x) 
 DMZ WLAN (172.16.2.x) 
 
 The Web Protection is enabled: 
 
 allowed Networks: internal only 
 Standard mode 
 AD SSO Authentification 
 block accees with no athentification enabeld 
 
 All other Networks are in tranparent mode with different guidelines 
 I have no additonal Packet Filter rules in the two DMZ Networks, only DMZ ->allow-> DNS, everything is handled by the proxy 
 I have no additional surfing (http/https) rules for the internal LAN (everything is handled by the proxy) 
 And here it comes: 
 I worked on a Server in the DMZ Network and wondered if the Server can Access the internet without a DNS packet Filter rule&hellip;. 
 I attemped to connect to an internal WebServer and it works&hellip; 
 I couldnt believe it and i checked the Server proxy settings and i saw that a colleague has setup the internal proxy settings (192.168.x.x Port 80xx) to the DMZ Server (172.16.x.x) 
 This makes it possible to surf and connect to the internal Server&hellip;.without any rule or other settings&hellip;.(DNS, etc) 
 
 So how can i prevent the usage oft the standard internal Proxy (192.) from other Networks ? I thought the Web Protection allowed Networks is the key, but it isnt&hellip; 
 
 BG 
 
 mwie

DouglasFoster · Answer

UTM does not have security zones, so DMZ security gets complicated. See the wiki for additional info. 
 Short version: 
 You need to add a rule in the DMZ filter action(s) to block internal I.P. addtesses and internal host names.. 
 Alsi add a firewall rule to block UDP 443 so that Chrome does not evade your web filter.