Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 16463 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Full transparent proxy fails when on--all other traffic traverses. Works fine when off.

RobertCooper

This was from a different thread ( community.sophos.com/.../73266 that was abandoned:

I run a core/full transparent utm/border configuration. This works entirely until I turn on the web filter, at which point HTTP and HTTPS traffic fails to traverse. So, the routing is correct--I'm using that link presently to post this.
However, when I toggle on the web filter, I don't even see any entries hitting it. All other protocols traverse.

This is an ESXi environment--a trunk comes in from my internal network to the core router. The core and UTM both share a vswitch, and the border and the UTM both share a vswitch. Promiscuous mode is on those vswitches.

These were the last steps I undertook:
 I rebuilt Sophos from the ground up. Fresh install, assign interfaces, create bridge and management, assign proper gateway to bridge, create any/any/any firewall rule, toggle on firewall rule, assign DNS, get Sophos up-to-date, test the bridge successfully (full normal connectivity), turn on Web Filter and immediately lose web browsing by HTTP or HTTPS. All other protocols still work. Turn web filter off and all connectivity resumes.

Everything tests fine--DNS test from Sophos and my internal nets and core are great, routing is all fine, the bridge works and passes traffic from core to border. It just refuses to transparently proxy when I toggle it on.

Does anyone have any ideas? I'm going to throw a VM on that core-UTM vswitch to see if I can find anything amiss and will report back. But I'm pretty puzzled at this point.



This thread was automatically locked due to age.
Parents
  • 0

    You have detailed information about how your network is configured and nothing really about how the web proxy is configured except "I turned it on".

    Can you share some details on how you've configured it?

  • 0 in reply to Michael Dunn

    Michael,

    Thank you for the reply!

    You're right--I've detailed the configuration but only mentioned that I've turned the proxy on. Aside from setting the proxy to "full transparent" and configuring allowed ranges to encapsulate my subnets (192.168.0.0/16) I'm running the complete default policy and settings. HTTPS inspection is only for headers, so there's no certificate infrastructure. I didn't see anything else germane to functionality and thought that I should at least see blocks/failures hitting the log otherwise.

    I've tested the allowed range with a 0.0.0.0/0, only a single network 192.168.10.0/24 as well only a single test host, 192.168.10.128/32, with the same result for each--http/https traffic fails to traverse, nothing hits the log, all other protocols are fine.


    I haven't yet had a chance to put up any packet sniffing, but hopefully tonight I can carve time for it.

  • 0 in reply to RobertCooper

    For temporary/debugging purposes.

    Set Allowed Neworks to Any, Operation Mode to Transparent Mode, and authentication None.

    I'm not enough of a network guy to know if you need Full Transparent in your particular set up, but AFAIK everything that works in Full Transparent should also work in Transparent, plus some other cases.

    I'm going to assume you only have one policy, the base policy, set to the Default content filter action and that you haven't modified that.

    On the Web Global tab you can Open Live Log.  Try to do some proxying to http://www.example.com (simple clean http).  Is there anything in the httpproxy log?

  • 0 in reply to Michael Dunn

    I should give regular transparent mode a try, though it's a different architecture and I really do need full transparent. My understanding of transparent/full transparent in Sophos UTM is that transparent proxies/NATs the traffic whereas full transparent does proper in-line transparent inspection. Since my border relies on my internal addressing and I'd rather not use the Sophos firewall, transparent would end up being a headache.

    But, it's definitely a valid step!

  • 0 in reply to RobertCooper

    The proxy behaves almost exactly the same between Transparent Mode and Full Transparent Mode.

    The main difference is that the outgoing packets maintain the original IP of the client.  It still is a proxy, not in-line transparent inspection (eg like snort).

    If you have something upstream (closer to the internet) that is looking at the srcip and doing things like traffic shaping it makes a difference.

  • 0 in reply to Michael Dunn

    Michael,

    Still no good on Transparent.

    Putting it back to full (which I'll need in the design anyway, as I'm NATing/routing from an IPSEC VPN into some internal subnets), and doing packet captures on the core, border and off of the bridge interface of the UTM, I found some weird MAC behavior and a whole lot of TCP resets. Traffic across the bridge looks like it loops around between the core MAC, the internal UTM MAC and the border MAC. I found some additional troubleshooting regarding vswitch bridges in the form of adding some additional flags to the related VM interfaces to ignore duplicate MACs and such, as detailed here: https://community.sophos.com/products/unified-threat-management/f/54/t/40286 but so far still no luck, though I haven't taken another pcap to see if the behavior has changed, as it's late.

    --Robert

  • 0 in reply to RobertCooper

    I'm a http proxy guy not a network guy so I may not be of much help then.

    From my perspective I would packet capture everything on the UTM on port 80 on all interfaces.  Do you see the incoming HTTP request from the client browser? Do you see the outgoing HTTP to the far server?  What is in the proxy log?


    Have you tried Explicit mode.  Put the UTM's FQDN in the Proxy field in the browser network config.  That should prove whether or not the proxy works (also that the proxy can reach the outside world) ignoring your network configuration.

Reply
  • 0 in reply to RobertCooper

    I'm a http proxy guy not a network guy so I may not be of much help then.

    From my perspective I would packet capture everything on the UTM on port 80 on all interfaces.  Do you see the incoming HTTP request from the client browser? Do you see the outgoing HTTP to the far server?  What is in the proxy log?


    Have you tried Explicit mode.  Put the UTM's FQDN in the Proxy field in the browser network config.  That should prove whether or not the proxy works (also that the proxy can reach the outside world) ignoring your network configuration.

Children
No Data
Unfiltered HTML