Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 9988 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Webcontrol taking precedence over Proxy Filtering?

Albeck

So we have the situation, that our road warriors, which have the endpoint installled with a specific (less strict) proxy filter profile assigned to them via webcontrol, are, from time to time, in our headquarter.

In the headquarter the road warriors are in subnets with a much more restrictiv web proxy profile.

So the expected behavior would be, that the sites, that the warriors had acces to on their raodtrip, would be blocked when they are in the headquarters subnet.

But this is not the case! They still can open up sites, that are blocked for "normal" pc in the headquarter. I tried the setting "scan traffic on both the gateway and the endpoint" but this didn't change the result. When I disabled webcontrol for the warriors, the sites are blocked, as they should be.


So it seems, that endpoint settings are taking precedence over proxy settings.

Is there a way to change this. I want to have the proxy be the "master". Besides I really can't get my head around on how this behavior right now can work.



This thread was automatically locked due to age.
Parents
  • What does Sophos Support say - is this expected behavior, and why?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson
    This is the expected behaviour.

    When a user is running endpoint Web Control, the endpoint sends a coded header in every request. When the UTM sees this header, it will skip processing the transaction as it knows that the user's policy has already been applied by the endpoint.

    This header is coded in a way that only the UTM that provides the endpoint's policy will recognise it - so if a user from another company comes on to your network, using an endpoint web policy from another UTM, your UTM will still scan the traffic and apply your policies.

    The exception to this is HTTPS traffic, which cannot be decrypted by the endpoint and so cannot have the header added. HTTPS traffic will have policy re-applied by the UTM at the gateway.

    Cheers
    Rich
Reply
  • in reply to BAlfson
    This is the expected behaviour.

    When a user is running endpoint Web Control, the endpoint sends a coded header in every request. When the UTM sees this header, it will skip processing the transaction as it knows that the user's policy has already been applied by the endpoint.

    This header is coded in a way that only the UTM that provides the endpoint's policy will recognise it - so if a user from another company comes on to your network, using an endpoint web policy from another UTM, your UTM will still scan the traffic and apply your policies.

    The exception to this is HTTPS traffic, which cannot be decrypted by the endpoint and so cannot have the header added. HTTPS traffic will have policy re-applied by the UTM at the gateway.

    Cheers
    Rich
Children
  • in reply to RichBaldry
    Thanks, Rich. Pretty much what I thought, but I hadn't stopped to think that HTTPS traffic wasn't inspected by the endpoint. Is that a feature under consideration?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson
    Hi Bob, I know it's been on the long list for a while, but I'm afraid I'm not the right person to say what the current status is.

    Cheers
    Rich
  • in reply to BAlfson

    The endpoint behaves like HTTPS "URL Filtering Only". For example it will stick categorize and block porn sites. Because it does not do HTTPS decrypt and scan, if you download malware it is not caught in the browser with a block page. Instead when the malware is saved to disk the system AV scanner picks it up and blocks it with a bubble coming from the system tray.

    The main thing the endpoint cannot do is HTTPS blocks of filetypes, and HTTPS categorization when the path matters (eg company.com/forum may be classified as company rather than as forum).

    When the endpoint is behind the UTM all HTTPS traffic is scanned to handle those things the endpoint cannot, and optionally do a second scan for viruses as well.

    The risks associated with endpoint not scanning HTTPS is low (we still block sites and viruses) and those risks are only when endpoints are roaming (outside the company).

Unfiltered HTML