This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos proxy internet access / firewall rules

Hello,

i have a question regarding Sophos proxy internet access / firewall rules,

I have on eth2 my VPN Router in a DMZ. The Router connects via OpenVPN Client to the Internet.

Eth2 DMZ Config

10.0.0.1 / 24

Default GW: 10.0.0.3 (OpenVPN Router)

Multipath Rule:

Internal Network – Any – Internet IPv4 – By Interface – DMZ VPN

When I access the Internet from my LAN Devices I can browse Internet over the OpenVPN Router in the DMZ, this works fine. But my questions are:

  1. In the Firewall Rule is the Standard Web Surfing Group with the Services:

http 80, https 443, http proxy 8080, http web cache 3128 included.  Under allowed services is also http, https and http proxy included.

Means this now, that when a LAN Client access a Website, the client directly accesses the website while in the allowed target services http, https, and http proxy 8080 are defined? Should it for security reasons not be that the client asks the Proxy, and the Proxy connects to the Website? 

  1. I saw under Network Protection – Advanced the possibility to activate an Generic Proxy, in which scenario would this be useful?

 

Thanks a lot!

Best Regards

Sally



This thread was automatically locked due to age.
Parents
  • Hi Sally,

    I edited your post and removed all of the extra blank lines so that I could read what you posted.  Just because you know what you said doesn't mean it's immediately clear to the rest of us.

    Doug's Wiki post, Securing and Configuring Web Filtering, might help you understand the difference between the use of the "Web Surfing" group and 'Allowed Target Services'.

    A Generic Proxy is not what you want.  From the context-sensitive on-line Help:

    A generic proxy, also known as a port forwarder, combines both features of DNAT and masquerading, forwarding all incoming traffic for a specific service to an arbitrary server. The difference to standard DNAT, however, is that a generic proxy also replaces the source IP address of a request with the IP address of the interface for outgoing connections. In addition, the destination (target) port number can be changed as well.

    Cheers - Bob
    PS After all, this is a question about Web Protection, so I'll move it to that forum.  Let me know if you want me to move it back here.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  

     

     

    Hi BAlfson,

     

    thank you for sending me the article, and the information regarding the generic proxy. I have yet https decrypt / scan working with transparent proxy. When downloading the Proxy CA with PKCS#12 / Password and import it to Iphone, i was still getting ssl errors on the iphone. Then i downloaded the proxy ca cert as pem and imported it to iphone now its working. For Firefox i had to import the cert manually till the ssl errors where gone. Now browsing with Edge, Firefox, Chrome on MAC / Iphone / Windows is working...:)

     

     

    Now i read that the most secure option would be, use standard Proxy and as Fallback Transparent Proxy. I went to Web Filter Profiles - created new Profile with Standard Mode - Authentication None https decrypt and scan enabled. 

     

    Added then the UTM IP / 8080 to Firefox Network Proxy Manual, and can access Internet, works.

    How do I have to configure the Fallback Option, is Fallback like if I don’t enter the Proxy Config to the Browser, that the devices then anyhow access Internet via Transparent Profile, or where can I set this?

     

     

    Thx

    Sally

  • I usually set the Default Profile in Transparent mode and make it more-restrictive, but that up to you.  Yes, if the browser isn't configured to use the Proxy, it's requests will be handled by the Profile in Transparent mode.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If in this configuration with Standard Proxy and Transparent Proxy some application not work, like Update or cannot reach direct a server outside, will be the first step to check on the Transparent Proxy and define an exception there?

     

    For example Youtube Videos are not working on iPhone 6. Checked with Youtube App and Website. When starting the Videos I get an error message, saying I should try again later. Youtube on the PC is working. Checked here in the Forum and added this Exception to the Transparent Proxy:

    Skiped all Checks: Authentication / Caching / Block by download size / Antivirus / Extension blocking / MIME type blocking / URL Filter / Content Removal / SSL scanning / Certificate trust check / Certificate date check / Accessed pages / Blocked pages / Do not display Download/Scan progress page

     

    Exceptions:

    ^http://[A-Za-z0-9.-]+\.googlevideo\.com/videoplayback
    ^http://[A-Za-z0-9.-]+\.youtube\.com/videoplayback
    ^http://[A-Za-z0-9.]+\.googlevideo\.com/videoplayback
    ^http://[A-Za-z0-9.]+\.youtube\.com/videoplayback
    ^http://[a-za-z0-9.-]+\.youtube\.com/videoplayback
    ^http://[A-Za-z0-9.]+\.gdata\.youtube\.com/
    ^http://[A-Za-z0-9.]+\.googlevideo\.com/
    ^https?//[A-Za-z0-9.]*youtube\.com
    ^https?://[A-Za-z0-9.]+\.googlevideo\.com
    ^https?://[A-Za-z0-9.]+\.googlevideo\.com/videoplayback
    ^https?://[A-Za-z0-9.]+\.youtube\.com/videoplayback
    ^https?//[A-Za-z0-9.]+\.youtube\.com
    youtube.com
    https?//youtube.com

    But still, the youtube videos on iPhone are not playing. Then I deactivated the Standard Proxy, still same result. But when switching back from decrypt / scan to only url filtering the videos work..

     

    Also what for me is not yet clear is, how can I force the Standard Proxy to all devices? When I see under Filtering Options - Misc - Auto Proxy Config , do I just have to mark Enable Auto Proxy Config, to push this to all the Clients? 

     

    Thx

    Sally

  • Please refer to Configuring HTTP/S proxy access with AD SSO.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

    It sounds like you're on the right track.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

     

    thanks, for my home environment an Windows Server is a bit too much :) Is there a other home friendly solution possible?

     

    Regarding the Youtube Exception above, I added yet the following to the List, to get Youtube on Mobile App working:

     

    Skipping: Block by download size / Antivirus / Sandstorm / Do not display download/scan progress page

     

    www.youtube.com

    i.ytimg.com

    googlevideo.com

    r3---sn-cvh76nez.googlevideo.com

    android.clients.google.com

    ssl.google-analytics.com

    safebrowsing.googleapis.com

    spoc-pool-gtm.norton.com

    reports.crashlytics.com

    yt3.ggpht.com

    connectivitycheck.gstatic.com

     

    Best Regards

    Sally

Reply
  • Hi,

     

    thanks, for my home environment an Windows Server is a bit too much :) Is there a other home friendly solution possible?

     

    Regarding the Youtube Exception above, I added yet the following to the List, to get Youtube on Mobile App working:

     

    Skipping: Block by download size / Antivirus / Sandstorm / Do not display download/scan progress page

     

    www.youtube.com

    i.ytimg.com

    googlevideo.com

    r3---sn-cvh76nez.googlevideo.com

    android.clients.google.com

    ssl.google-analytics.com

    safebrowsing.googleapis.com

    spoc-pool-gtm.norton.com

    reports.crashlytics.com

    yt3.ggpht.com

    connectivitycheck.gstatic.com

     

    Best Regards

    Sally

Children
No Data