This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 VPN and Sophos UTM - Proxy PAC

We are setting up a VPN connection for all our clients and was looking to make all web browsing (except Office Apps) go via the UTM for filtering when connected. I have tried setting the settings in the IE settings to get the Proxy Pac file from the UTM via http://UTM.IP.Address:Port/wpad.dat. If you web browse to this address it downloads the dat file. However it doesnt seem to be actioning the Bypass Proxy option and all traffic seems to go through the UTM still.

I have also tried to add the VPN Proxy settings and select use setup script and point it to the address and port of the proxy. This also does not seem to work.

I have managed to get the Sophos endpoint to bypass the Proxy by setting the option in the Sophos Cloud for Proxy Configuration, and clients update both when they are connected and not connected to the VPN

as sample of my pac file is as below

function FindProxyForURL(url, host) {
// NetBIOS-names
if (isPlainHostName(host))
return "DIRECT";
// change to lower case, if not already been done
host = host.toLowerCase();
// internal DNS-suffixes
if (shExpMatch(host, "*.corp.company.com")
|| shExpMatch(host, "clients.config.office.net")
|| shExpMatch(host, "autodiscover.greenvale.co.uk")
|| shExpMatch(host, "dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com")
|| shExpMatch(host, "skydrive.wns.windows.com")
|| shExpMatch(host, "*.akamaized.net")
|| shExpMatch(host, "*.compliance.microsoft.com")
|| shExpMatch(host, "*.events.data.microsoft.com")
|| shExpMatch(host, "*.lync.com")
|| shExpMatch(host, "*.mail.protection.outlook.com")
|| shExpMatch(host, "*.measure.office.net")
|| shExpMatch(host, "*.msftidentity.com")
|| shExpMatch(host, "*.msidentity.com")
|| shExpMatch(host, "*.officeapps.live.com")
|| shExpMatch(host, "*.online.office.com")
|| shExpMatch(host, "*.outlook.office.com")
|| shExpMatch(host, "*.protection.office.com")
|| shExpMatch(host, "*.protection.outlook.com")
|| shExpMatch(host, "*.security.microsoft.com")
|| shExpMatch(host, "*.onenote.com")
|| shExpMatch(host, "*.sharepoint.com")
|| shExpMatch(host, "*.skypeforbusiness.com")
|| shExpMatch(host, "*.teams.microsoft.com")
|| shExpMatch(host, "*.yammer.com")
|| shExpMatch(host, "*.assets-yammer.com")
|| shExpMatch(host, "*.relay.teams.microsoft.com")
|| shExpMatch(host, "account.activedirectory.windowsazure.com")
|| shExpMatch(host, "aefd.nelreports.net")
|| shExpMatch(host, "teams-ring.msedge.net")
|| shExpMatch(host, "fp-afd.azureedge.net")
|| shExpMatch(host, "account.office.net")
|| shExpMatch(host, "manage-us.kaiza.la")
|| shExpMatch(host, "accounts.accesscontrol.windows.net")
|| shExpMatch(host, "activity.windows.com")
|| shExpMatch(host, "adminwebservice.microsoftonline.com")
|| shExpMatch(host, "amcdn.msftauth.net")
|| shExpMatch(host, "api.passwordreset.microsoftonline.com")
|| shExpMatch(host, "api.userstore.skype.com")
|| shExpMatch(host, "autologon.microsoftazuread-sso.com")
|| shExpMatch(host, "b.config.skype.com")
|| shExpMatch(host, "becws.microsoftonline.com")
|| shExpMatch(host, "broadcast.skype.com")
|| shExpMatch(host, "clientconfig.microsoftonline-p.net")
|| shExpMatch(host, "companymanager.microsoftonline.com")
|| shExpMatch(host, "compliance.microsoft.com")
|| shExpMatch(host, "contacts.zoho.com")
|| shExpMatch(host, "cdn.fluidpreview.office.net")
|| shExpMatch(host, "cxcs.cdn.office.net")
|| shExpMatch(host, "device.login.microsoftonline.com")
|| shExpMatch(host, "eafc.nelreports.net")
|| shExpMatch(host, "ecs.office.com")
|| shExpMatch(host, "europe.smartscreen.microsoft.com")
|| shExpMatch(host, "contentsync.onenote.com")
|| shExpMatch(host, "hierarchyapi.onenote.com")
|| shExpMatch(host, "fonts.gstatic.com")
|| shExpMatch(host, "fp.msedge.net")
|| shExpMatch(host, "graph.microsoft.com")
|| shExpMatch(host, "graph.windows.net")
|| shExpMatch(host, "greenvalecouk-my.sharepoint.com")
|| shExpMatch(host, "itsupport.gvcloud.co.uk")
|| shExpMatch(host, "login.microsoft.com")
|| shExpMatch(host, "login.microsoftonline.com")
|| shExpMatch(host, "login.microsoftonline-p.com")
|| shExpMatch(host, "login.windows.net")
|| shExpMatch(host, "logincert.microsoftonline.com")
|| shExpMatch(host, "loginex.microsoftonline.com")
|| shExpMatch(host, "login-us.microsoftonline.com")
|| shExpMatch(host, "nexus.microsoftonline-p.com")
|| shExpMatch(host, "ntp.msn.com")
|| shExpMatch(host, "office.live.com")
|| shExpMatch(host, "onedrive.live.com")
|| shExpMatch(host, "outlook.office.com")
|| shExpMatch(host, "outlook.office365.com")
|| shExpMatch(host, "passwordreset.microsoftonline.com")
|| shExpMatch(host, "protection.office.com")
|| shExpMatch(host, "provisioningapi.microsoftonline.com")
|| shExpMatch(host, "outlook-1.cdn.office.net")
|| shExpMatch(host, "s0-azure.assets-yammer.com")
|| shExpMatch(host, "res-1.cdn.office.net")
|| shExpMatch(host, "security.microsoft.com")
|| shExpMatch(host, "spo-ring.msedge.net")
|| shExpMatch(host, "storage.live.com")
|| shExpMatch(host, "smtp.office365.com")
|| shExpMatch(host, "teams.microsoft.com")
|| shExpMatch(host, "teams.nel.measure.office.net")
|| shExpMatch(host, "tipengine.zoho.com")
|| shExpMatch(host, "uci.cdn.office.net")
|| shExpMatch(host, "wns.windows.com")
|| shExpMatch(host, "www.yammer.com")
|| shExpMatch(host, "*.akadns.net")
|| shExpMatch(host, "*.akam.net")
|| shExpMatch(host, "*.akamai.com")
|| shExpMatch(host, "*.akamai.net")
|| shExpMatch(host, "*.akamaiedge.net")
|| shExpMatch(host, "*.akamaihd.net")
|| shExpMatch(host, "*.akamaized.net")
|| shExpMatch(host, "*.blob.core.windows.net")
|| shExpMatch(host, "*.edgekey.net")
|| shExpMatch(host, "*.edgesuite.net")
|| shExpMatch(host, "sfgbr.loki.delve.office.com")
|| shExpMatch(host, "autodiscover-s.outlook.com")
|| shExpMatch(host, "*-admin.sharepoint.com")
|| shExpMatch(host, "*-files.sharepoint.com")
|| shExpMatch(host, "*-myfiles.sharepoint.com")
|| shExpMatch(host, "cdn.odc.officeapps.live.com")
|| shExpMatch(host, "*.office.com")
|| shExpMatch(host, "dci.sophosupd.com")
|| shExpMatch(host, "dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com")
|| shExpMatch(host, "mcs2-cloudstation-us-east-2.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs.stn100yul.ctr.sophos.com")
|| shExpMatch(host, "mcs2.stn100yul.ctr.sophos.com")
|| shExpMatch(host, "d1.sophosupd.com")
|| shExpMatch(host, "d2.sophosupd.com")
|| shExpMatch(host, "d3.sophosupd.com")
|| shExpMatch(host, "dci.sophosupd.net")
|| shExpMatch(host, "d1.sophosupd.net")
|| shExpMatch(host, "d2.sophosupd.net")
|| shExpMatch(host, "d3.sophosupd.net")
|| shExpMatch(host, "t1.sophosupd.com")
|| shExpMatch(host, "sus.sophosupd.com")
|| shExpMatch(host, "sus.sophosupd.net")
|| shExpMatch(host, "sdds3.sophosupd.com")
|| shExpMatch(host, "sdds3.sophosupd.net")
|| shExpMatch(host, "sdu-feedback.sophos.com")
|| shExpMatch(host, "sophosxl.net")
|| shExpMatch(host, "4.sophosxl.net")
|| shExpMatch(host, "samples.sophosxl.net")
|| shExpMatch(host, "cloud.sophos.com")
|| shExpMatch(host, "id.sophos.com")
|| shExpMatch(host, "central.sophos.com")
|| shExpMatch(host, "downloads.sophos.com")
|| shExpMatch(host, "*.ctr.sophos.com")
|| shExpMatch(host, "*.hydra.sophos.com")
|| shExpMatch(host, "*.d.akamaiedge.net")
|| shExpMatch(host, "e13687.d.akamaiedge.net")
|| shExpMatch(host, "*.cloudfront.net")
|| shExpMatch(host, "d27v6ck90qm3ay.cloudfront.net")
|| shExpMatch(host, "dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com")
|| shExpMatch(host, "dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com")
|| shExpMatch(host, "mcs-cloudstation-eu-central-1.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs-cloudstation-eu-west-1.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs-cloudstation-us-east-2.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs-cloudstation-us-west-2.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs2-cloudstation-us-east-2.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs2-cloudstation-us-west-2.prod.hydra.sophos.com")
|| shExpMatch(host, "mcs.stn100syd.ctr.sophos.com")
|| shExpMatch(host, "mcs.stn100yul.ctr.sophos.com")
|| shExpMatch(host, "mcs.stn100hnd.ctr.sophos.com")
|| shExpMatch(host, "mcs2.stn100syd.ctr.sophos.com")
|| shExpMatch(host, "mcs2.stn100yul.ctr.sophos.com")
|| shExpMatch(host, "mcs2.stn100hnd.ctr.sophos.com")
|| shExpMatch(host, "ocsp.globalsign.com")
|| shExpMatch(host, "ocsp2.globalsign.com")
|| shExpMatch(host, "crl.globalsign.com")
|| shExpMatch(host, "crl.globalsign.net")
|| shExpMatch(host, "ocsp.digicert.com")
|| shExpMatch(host, "crl3.digicert.com")
|| shExpMatch(host, "crl4.digicert.com")
|| shExpMatch(host, "amazonaws.com")
|| shExpMatch(host, "cdn.uci.officeapps.live.com"))
return "DIRECT";
// Save the IP-address to variable hostIP
var hostIP;
var isIpV4Addr = /^(\d+.){3}\d+$/;
if (isIpV4Addr.test(host))
hostIP = host;
else
hostIP = dnsResolve(host);
// IP could not be determined -> go to proxy
if (hostIP == 0)
return "PROXY 192.168.153.49:5080";
// These 3 scopes are used only internally
if (shExpMatch(hostIP, "10.216.4.*") ||
shExpMatch(hostIP, "192.168.*") ||
shExpMatch(hostIP, "127.0.0.1"))
return "DIRECT";
// Eveything else goes through the proxy
return "PROXY 192.168.153.49:5080;";
}



This thread was automatically locked due to age.
Parents
  • Awrite! Welcome back to the UTM Community, Peter.

    Are you sure you don't have a Web Filtering Profile in Transparent mode?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Awrite! Welcome back to the UTM Community, Peter.

    Are you sure you don't have a Web Filtering Profile in Transparent mode?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data