Sophos proxy internet access / firewall rules

Hi Sally,

I edited your post and removed all of the extra blank lines so that I could read what you posted.  Just because you know what you said doesn't mean it's immediately clear to the rest of us.

Doug's Wiki post, Securing and Configuring Web Filtering, might help you understand the difference between the use of the "Web Surfing" group and 'Allowed Target Services'.

A Generic Proxy is not what you want.  From the context-sensitive on-line Help:

A generic proxy, also known as a port forwarder, combines both features of DNAT and masquerading, forwarding all incoming traffic for a specific service to an arbitrary server. The difference to standard DNAT, however, is that a generic proxy also replaces the source IP address of a request with the IP address of the interface for outgoing connections. In addition, the destination (target) port number can be changed as well.

Cheers - Bob
PS After all, this is a question about Web Protection, so I'll move it to that forum.  Let me know if you want me to move it back here.

Hi BAlfson,

thank you for sending me the article, and the information regarding the generic proxy. I have yet https decrypt / scan working with transparent proxy. When downloading the Proxy CA with PKCS#12 / Password and import it to Iphone, i was still getting ssl errors on the iphone. Then i downloaded the proxy ca cert as pem and imported it to iphone now its working. For Firefox i had to import the cert manually till the ssl errors where gone. Now browsing with Edge, Firefox, Chrome on MAC / Iphone / Windows is working...:)

Now i read that the most secure option would be, use standard Proxy and as Fallback Transparent Proxy. I went to Web Filter Profiles - created new Profile with Standard Mode - Authentication None https decrypt and scan enabled. 

Added then the UTM IP / 8080 to Firefox Network Proxy Manual, and can access Internet, works.

How do I have to configure the Fallback Option, is Fallback like if I don’t enter the Proxy Config to the Browser, that the devices then anyhow access Internet via Transparent Profile, or where can I set this?

Thx

Sally

I usually set the Default Profile in Transparent mode and make it more-restrictive, but that up to you.  Yes, if the browser isn't configured to use the Proxy, it's requests will be handled by the Profile in Transparent mode.

Cheers - Bob

If in this configuration with Standard Proxy and Transparent Proxy some application not work, like Update or cannot reach direct a server outside, will be the first step to check on the Transparent Proxy and define an exception there?

For example Youtube Videos are not working on iPhone 6. Checked with Youtube App and Website. When starting the Videos I get an error message, saying I should try again later. Youtube on the PC is working. Checked here in the Forum and added this Exception to the Transparent Proxy:

Skiped all Checks: Authentication / Caching / Block by download size / Antivirus / Extension blocking / MIME type blocking / URL Filter / Content Removal / SSL scanning / Certificate trust check / Certificate date check / Accessed pages / Blocked pages / Do not display Download/Scan progress page

Exceptions:

^http://[A-Za-z0-9.-]+\.googlevideo\.com/videoplayback
^http://[A-Za-z0-9.-]+\.youtube\.com/videoplayback
^http://[A-Za-z0-9.]+\.googlevideo\.com/videoplayback
^http://[A-Za-z0-9.]+\.youtube\.com/videoplayback
^http://[a-za-z0-9.-]+\.youtube\.com/videoplayback
^http://[A-Za-z0-9.]+\.gdata\.youtube\.com/
^http://[A-Za-z0-9.]+\.googlevideo\.com/
^https?//[A-Za-z0-9.]*youtube\.com
^https?://[A-Za-z0-9.]+\.googlevideo\.com
^https?://[A-Za-z0-9.]+\.googlevideo\.com/videoplayback
^https?://[A-Za-z0-9.]+\.youtube\.com/videoplayback
^https?//[A-Za-z0-9.]+\.youtube\.com
youtube.com
https?//youtube.com

But still, the youtube videos on iPhone are not playing. Then I deactivated the Standard Proxy, still same result. But when switching back from decrypt / scan to only url filtering the videos work..

Also what for me is not yet clear is, how can I force the Standard Proxy to all devices? When I see under Filtering Options - Misc - Auto Proxy Config , do I just have to mark Enable Auto Proxy Config, to push this to all the Clients? 

Thx

Sally

Please refer to Configuring HTTP/S proxy access with AD SSO.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

It sounds like you're on the right track.

Cheers - Bob

Hi,

thanks, for my home environment an Windows Server is a bit too much :) Is there a other home friendly solution possible?

Regarding the Youtube Exception above, I added yet the following to the List, to get Youtube on Mobile App working:

www.youtube.com

i.ytimg.com

googlevideo.com

r3---sn-cvh76nez.googlevideo.com

android.clients.google.com

ssl.google-analytics.com

safebrowsing.googleapis.com

spoc-pool-gtm.norton.com

reports.crashlytics.com

yt3.ggpht.com

connectivitycheck.gstatic.com

Best Regards

Sally

Hi,

thanks, for my home environment an Windows Server is a bit too much :) Is there a other home friendly solution possible?

Regarding the Youtube Exception above, I added yet the following to the List, to get Youtube on Mobile App working:

www.youtube.com

i.ytimg.com

googlevideo.com

r3---sn-cvh76nez.googlevideo.com

android.clients.google.com

ssl.google-analytics.com

safebrowsing.googleapis.com

spoc-pool-gtm.norton.com

reports.crashlytics.com

yt3.ggpht.com

connectivitycheck.gstatic.com

Best Regards

Sally