This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.352-6 with some clients using Standard Proxy HTTP(S) 8080 and others using Transparent mode?

Hi All,

I am not sure what I need:

a) 2 Internal VLAN's and 2 UTM's(one red/green the other green)?

b) 2 Internal VLAN's and 2 UTM's(two red/green)? 

c) 1 Internal VLAN and 2 UTM's(one red/green the other green)? 

d) 1 Internal VLAN and 1 UTM(two red/green)?

I would like to use HTTP(S) inspection to make sure the more vulnerable devices stay out of trouble : The windows/mac computers use the system proxy setting 192.168.1.1:8080 for http and https.  I have installed the self signed certificate in the local computers CA store and told Chrome and Firefox to trust that certificate as well. 

I would like to use Transparent mode to reduce my firewall futzing for the less vulnerable devices : I may have Linux machines or other devices(apple tv, ipad, iphone, android phone or tablet, nexus player, nest devices, google cloud print printers) I do not want to mess with Proxy settings, auto config, pac files and the like for some devices.  For these other devices can I have them use the UTM in transparent.  In transparent mode can I block all and do some sort of whitelist web browsing


I manage two UTM 9.3 Firewall/Gateway/Router/NAT/Transparent Proxy for a cable modem ISP home use connection.  One at my home and the other at my parents.

I assume if the UTM is in Transparent mode port 8080 is NOT listening.  I assume once I go Transparent mode I cannot put a deny entry for the NAT or Firewall as this would block the SQUID proxy from passing traffic to the internet.

Thanks,

Joe



This thread was automatically locked due to age.
Parents
  • VILIC,

    I think I am almost there! LOL

    So the step #2 I need to have 2 VLAN's :
    VLAN1 for all devices except Windows and Apple computers
    VLAN2 for Windows and Apple computers

    *) I need to import the CA from the SOPHOS appliance(if I install the endpoint AV do I get the CA during that time?)
    *) I need to manually configure the web browsers to trust the self signed CA for HTTPS inspection(pain in the azz)
    *) I need to enable option 252 for WPAD.DAT(I think all browsers will use that file I have used it in the enterprise years ago)

    VILIC it was my understanding that Transparent mode handled just http(in the case of the SQUID Proxy server). All other protocols and traffic would be handled by NAT if enable and if not just routed with the firewall inspecting the header. URL filtering only for HTTPS tab means no errors on end devices like apple TV.

    Standard mode I also thought it only handled http. I have to tell the local Mac/PC to proxy https(I think I should be able to do this in the WPAD.DAT) and enable "Decrypt and Scan" or "Decrypt and scan the following" for the additional "Web Filter Profiles" custom entry.

    Thanks,
    Joe
    aka The Average Joe
  • You don't need two VLANs if you group all of your Windows/Mac computers within the subnet range.
    Example: Use VLAN 192.168.1.0/24 and group all of your Windows/Mac devices within 192.168.1.193 - 192.168.1.254 IP range. You can then create Network definition 192.168.1.192/26 and put it into Allowed Networks within Webfilter Profile that uses Standard mode.

    Regarding proxying, if the web site listens on non-standard port (80 or 443), for example http://www.test.com:8559, it can be proxied in Standard but not in Transparent mode. In Standard mode you will have do allow port 8559 in Web Protection -> Filtering options -> Misc -> Allowed Target Services. In Transparent mode you will have do create firewall rule Internal (Network) -> TCP/8559 -> www.test.com.

    For non-http requests, proxy is not used, only NAT and firewall.

    Hope that this clarifies a little bit what I wrote in my previous post.

Reply
  • You don't need two VLANs if you group all of your Windows/Mac computers within the subnet range.
    Example: Use VLAN 192.168.1.0/24 and group all of your Windows/Mac devices within 192.168.1.193 - 192.168.1.254 IP range. You can then create Network definition 192.168.1.192/26 and put it into Allowed Networks within Webfilter Profile that uses Standard mode.

    Regarding proxying, if the web site listens on non-standard port (80 or 443), for example http://www.test.com:8559, it can be proxied in Standard but not in Transparent mode. In Standard mode you will have do allow port 8559 in Web Protection -> Filtering options -> Misc -> Allowed Target Services. In Transparent mode you will have do create firewall rule Internal (Network) -> TCP/8559 -> www.test.com.

    For non-http requests, proxy is not used, only NAT and firewall.

    Hope that this clarifies a little bit what I wrote in my previous post.

Children
No Data