Changing from Transparent Proxy to Standard Proxy Breaks Outlook and Website Images When SSL Decrypt and Scan is Enabled

Yes, there is no free lunch.

You have merged two issues:

• Standard vs. Transparent Mode Proxy
• HTTPS inspection enabled or disabled

These are actually independent decistions, so there are four possible combinations.

I recommend running both proxy modes.  I use Standard mode with AD SSO authentication for browser traffic, and Transparent mode with no authentication for non-browser traffic  (of which there is much more than I expected.)

HTTPS inspection is a tougher call.  UTM becomes the client to the remote website, not your PC.   This creates a number of issues:

• UTM does not support the ciphersuites of some websites.
• UTM does not support AIA fetching for sites that do not provide their intermediate certificates.
• Some browser plugins will not work correctly.
• Most dual-session products will not work correctly (gotomypc and equivalents, Citrix sessions, etc.)

The first two are theoretically correctable, but the browser companies have more money so they can adapt much more quickly than Sophos.   The latter two issues are inherent to the technology.

You should have a monitoring and tuning process for any webfiltering endeavor.   Your tuning effort is greater with HTTPS inspection enabled.  The logs have the data that you need.

To work around specific problems like the ones in your headline:

• Assign websites to Tags, and assign Tags to Exception objects.   
• Use an Exception object that bypasses everything rather than using skiplists.

For more pontificating, see my posts "Web Filtering Lessons Learned" and "Troubleshooting Web Filteirng".  Both are pinned to the top of the Web Filtering forum

Yes, there is no free lunch.

You have merged two issues:

• Standard vs. Transparent Mode Proxy
• HTTPS inspection enabled or disabled

These are actually independent decistions, so there are four possible combinations.

I recommend running both proxy modes.  I use Standard mode with AD SSO authentication for browser traffic, and Transparent mode with no authentication for non-browser traffic  (of which there is much more than I expected.)

HTTPS inspection is a tougher call.  UTM becomes the client to the remote website, not your PC.   This creates a number of issues:

• UTM does not support the ciphersuites of some websites.
• UTM does not support AIA fetching for sites that do not provide their intermediate certificates.
• Some browser plugins will not work correctly.
• Most dual-session products will not work correctly (gotomypc and equivalents, Citrix sessions, etc.)

The first two are theoretically correctable, but the browser companies have more money so they can adapt much more quickly than Sophos.   The latter two issues are inherent to the technology.

You should have a monitoring and tuning process for any webfiltering endeavor.   Your tuning effort is greater with HTTPS inspection enabled.  The logs have the data that you need.

To work around specific problems like the ones in your headline:

• Assign websites to Tags, and assign Tags to Exception objects.   
• Use an Exception object that bypasses everything rather than using skiplists.

For more pontificating, see my posts "Web Filtering Lessons Learned" and "Troubleshooting Web Filteirng".  Both are pinned to the top of the Web Filtering forum