Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 4210 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to forward web requests to another transparent proxy in lan?

LoD

Hi @ll,


I'm stuck on a problem regarding the web filtering module. The goal is to have the following setup:


Default Gateway is SG

Web requests for specified users/groups shall be forwarded to another transparent proxy in the same lan. like:

LAN -> HTTP(S) -> SG -> Transparent Proxy -> Internet

Specific user group -> HTTP(S) -> SG -> Internet

The other way around would also be possible way:

LAN -> HTTP(S) -SG -> Internet

Specific user group -> HTTP(S) - Transparent Proxy -> Internet

My first approach was to user NAT but I couldn't get it to work. Secondly I tried it using policy routes like

Source Interface: LAN -> Source Network: Test-PC -> Service: Web Surfing -> Destination: Any ->Gateway: 'Transparent Proxy'


but that didn't work either. Hope this is solvable and s/o can point me to the solution.

greetings

LoD



This thread was automatically locked due to age.
Parents
  • 0

    How are "specific user groups" defined - Active Directory Group membership?  Is there a reason you wouldn't want to use the Standard mode?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,


    thanks for responding!

    We're quite flexible in defining the groups - it's all in a testing enviroment.
    The specific user groups may either be defined by a local group or by an AD group. Whatever is the easiest way.

    E.g.: Default == all requests are forwarded to the "Backend transparent proxy" + specific user groups (either AD or local with standard auth) are allowed to use the SG to reach the internet (I guess this should be the prefered way as only a small group has to be defined within the exception)

    Or

    Default == all requests are handled by the SG + specific user groups (in that case AD) are forwarded to the "backend transparent proxy".


    Whatever could be the correct way - the larger group of users (who are to use the backend transparent proxy) shouldn't be asked to authenticate and their requests should be forwarded.

    Maybe I should give more details?! At the moment we're using a default GW at all clients which points to the "Backend transparent proxy". That transparent proxy has to stay in our setup but is limited in configuring routing options. So we'd like to change the def GW to the SG which is more flexible in configuring routes but still can use the "btp" (at least as long as it's licensed).

    Having the SG in the enviroment we'd like to have the option to use it - for specific users or in case the "btp" is in error. Atm the SG's running in transparent mode and has 4 seperated lan segments and 2 WAN lines. Maybe using "Full transparent" will do the trick?

    cheers

    LoD

Reply
  • 0 in reply to BAlfson

    Hi Bob,


    thanks for responding!

    We're quite flexible in defining the groups - it's all in a testing enviroment.
    The specific user groups may either be defined by a local group or by an AD group. Whatever is the easiest way.

    E.g.: Default == all requests are forwarded to the "Backend transparent proxy" + specific user groups (either AD or local with standard auth) are allowed to use the SG to reach the internet (I guess this should be the prefered way as only a small group has to be defined within the exception)

    Or

    Default == all requests are handled by the SG + specific user groups (in that case AD) are forwarded to the "backend transparent proxy".


    Whatever could be the correct way - the larger group of users (who are to use the backend transparent proxy) shouldn't be asked to authenticate and their requests should be forwarded.

    Maybe I should give more details?! At the moment we're using a default GW at all clients which points to the "Backend transparent proxy". That transparent proxy has to stay in our setup but is limited in configuring routing options. So we'd like to change the def GW to the SG which is more flexible in configuring routes but still can use the "btp" (at least as long as it's licensed).

    Having the SG in the enviroment we'd like to have the option to use it - for specific users or in case the "btp" is in error. Atm the SG's running in transparent mode and has 4 seperated lan segments and 2 WAN lines. Maybe using "Full transparent" will do the trick?

    cheers

    LoD

Children
No Data
Unfiltered HTML