This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Webcontrol taking precedence over Proxy Filtering?

So we have the situation, that our road warriors, which have the endpoint installled with a specific (less strict) proxy filter profile assigned to them via webcontrol, are, from time to time, in our headquarter.

In the headquarter the road warriors are in subnets with a much more restrictiv web proxy profile.

So the expected behavior would be, that the sites, that the warriors had acces to on their raodtrip, would be blocked when they are in the headquarters subnet.

But this is not the case! They still can open up sites, that are blocked for "normal" pc in the headquarter. I tried the setting "scan traffic on both the gateway and the endpoint" but this didn't change the result. When I disabled webcontrol for the warriors, the sites are blocked, as they should be.


So it seems, that endpoint settings are taking precedence over proxy settings.

Is there a way to change this. I want to have the proxy be the "master". Besides I really can't get my head around on how this behavior right now can work.



This thread was automatically locked due to age.
Parents
  • What does Sophos Support say - is this expected behavior, and why?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This is the expected behaviour.

    When a user is running endpoint Web Control, the endpoint sends a coded header in every request. When the UTM sees this header, it will skip processing the transaction as it knows that the user's policy has already been applied by the endpoint.

    This header is coded in a way that only the UTM that provides the endpoint's policy will recognise it - so if a user from another company comes on to your network, using an endpoint web policy from another UTM, your UTM will still scan the traffic and apply your policies.

    The exception to this is HTTPS traffic, which cannot be decrypted by the endpoint and so cannot have the header added. HTTPS traffic will have policy re-applied by the UTM at the gateway.

    Cheers
    Rich
  • Thanks, Rich. Pretty much what I thought, but I hadn't stopped to think that HTTPS traffic wasn't inspected by the endpoint. Is that a feature under consideration?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, I know it's been on the long list for a while, but I'm afraid I'm not the right person to say what the current status is.

    Cheers
    Rich
Reply Children
No Data