This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Proxy option for Web Filter

Is it possible to enable HTTPS for the Web Filter Proxy?

At the moment it's only possible to use HTTP for the CONNECT command. When using the Web Filter authentication features any token / credentials is transmitted in clear-text via the network.



This thread was automatically locked due to age.
Parents
  • Your question is confusing.

    I think you are referring to the URL used to retrieve the Proxy Configuration Script from an internal webserver, prior to connecting to an external web server using Standard Mode web filter and that proxy script.   (The source can be UTM but can be any internal webserver).   The internal webserver would typically be chosen to use either no authentication or NTLM transparent authentication.   Either way, there should be no clear-text password transmission.    If your proxy script webserver currently requests authentication using basic mode, you should change your webserver configuration.

    It may be possible to retrieve a proxy script using an HTTPS URL.   I do not think I have tried, and I do not see any reason to do so, as it will add unwanted overhead.

    Other than retrieving the proxy script, the protocol (http or https) is determined by the site that you are trying to reach.  This is the case for either Standard Mode or Transparent Mode.

Reply
  • Your question is confusing.

    I think you are referring to the URL used to retrieve the Proxy Configuration Script from an internal webserver, prior to connecting to an external web server using Standard Mode web filter and that proxy script.   (The source can be UTM but can be any internal webserver).   The internal webserver would typically be chosen to use either no authentication or NTLM transparent authentication.   Either way, there should be no clear-text password transmission.    If your proxy script webserver currently requests authentication using basic mode, you should change your webserver configuration.

    It may be possible to retrieve a proxy script using an HTTPS URL.   I do not think I have tried, and I do not see any reason to do so, as it will add unwanted overhead.

    Other than retrieving the proxy script, the protocol (http or https) is determined by the site that you are trying to reach.  This is the case for either Standard Mode or Transparent Mode.

Children
  •  

    Thanks for your fast reply and sorry for not being so clear.

     

    The "regular" workflow of a Proxy communication between a client and the target is

    1. Client -- CONNECT <URL> --> <Sophos>:8080 ---> <Host of URL>

    2. Client --> <Host of Url> (via Sophos:8080)

    3 ..

    My question was about the transport security security of the first "CONNECT" request. As you can see from the wireshark screenshot, the traffic is not encrypted and I cannot find an option in the Sophos UTM to encrypt this communication between the client and sophos:8080

     

    I hope this helps for your understanding.

  • Hi and welcome to the UTM Community!

    You're correct, there is no such option.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA