Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 6584 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can you use standard mode and transparent mode on the same network segment (vlan)?

ErikWaibel

Hi all.  I have been using UTM for several years (going back to version 6) in a K-12 school district.  We have both eDirectory and AD domains (not ideal, but we manage).  Several years a go we switched from standard mode with eDir SSO authentication to transparent mode for various reasons (eDir issues, and to more easily facilitate ipads).  To control different user levels, we simply created separate VLANs for students/faculty/administrators and filter accordingly.  We even have the student networks subdivided into elementary, middle, and high to accommodate different filtering levels.  It has been working great and we simply segregate the devices to the appropriate vlan (student network, faculty network, etc...)

Enter 1:1 ipad deployment and the administrations desire to force the ipads through our proxy even when the students take them home.  The only way I know of doing this is to force a profile on the ipads that locks safari to use a proxy setting (which we can do).  However, That would require a need for standard mode all the time as there is no method to change settings on the ipad for internal vs external access (either it is set to use a proxy, or it isn't)   Which means all other devices on the same VLAN internally will now have to be changed to use proxy settings and standard mode, correct? 

OR, can I have two profiles that allow the same network - one transparent, one standard?  Leave the existing internal machines using transparent, and the ipads pointing to proxy using 8080 using a standard mode proxy profile.  I don't think I can get away with that, can I?  I suppose we could simply create yet another vlan just for the ipads and move them to that...  or just change our entire infrastructure back to standard mode, but that would be a LOT of work.

 

Am I overthinking this?  is there an easier solution?



This thread was automatically locked due to age.
Parents
  • +1

    Hi Erik,

    Yes, you can have two profiles wherein both have the same allowed network (in your case, VLAN network) but one is standard and one is transparent :)

    One thing I've noted in the past is to put the standard Web Filter Profile above the Transparent Web Filter Profile as some traffic gets erroneously logged, I believe that's logged as a bug at the moment.

    The UTM picks the profile being used based on the incoming connection, if you are making an 80/443 request to a server outside of the UTM, it will apply transparent profiles then sort based on the allowed network. If you connect directly to the UTM on port 8080 then standard mode profiles are applied and a sort based on the allowed networks is done.

    Hope that helps!

    Emile

  • 0 in reply to Emile Belcourt

    Thanks for the reply.  I was hoping it would work that way.  It may be a moot issue as I was reminded by my colleagues that we have so tightly segregated our network that the ipads are the only devices using that particular VLAN anyway - so a compete change to standard mode on it would not be a show stopper.  However, the ability to accept both will make the transition much smoother.

     

    Am I wrong in assuming that we can simply register the FQDN of the UTM with our public DNS and allow port 8080 connections from the outside to allow the ipads to still use the proxy when the kids take them home?  What I am not certain of is how to defile that incoming "network" to apply a profile to it.

  • 0 in reply to ErikWaibel

    Hi Erik,

    You can set the allowed networks for the proxy to be "Any" which means no matter where the connection comes from, as long as it comes in on the Proxy port via the FQDN/IP of the UTM, it will be allowed. However I'd be very careful with setting a standard mode proxy to do this and make sure it is an authenticated proxy access only. You don't want to accidentally set up your proxy as an open relay, will your iPads being doing proxy authentication?

    Below is a brief image of how your Webfilter Profile will look:

    Also make sure your policies only allow specific authenticated users :)

    Emile

Reply
  • 0 in reply to ErikWaibel

    Hi Erik,

    You can set the allowed networks for the proxy to be "Any" which means no matter where the connection comes from, as long as it comes in on the Proxy port via the FQDN/IP of the UTM, it will be allowed. However I'd be very careful with setting a standard mode proxy to do this and make sure it is an authenticated proxy access only. You don't want to accidentally set up your proxy as an open relay, will your iPads being doing proxy authentication?

    Below is a brief image of how your Webfilter Profile will look:

    Also make sure your policies only allow specific authenticated users :)

    Emile

Children
  • 0 in reply to Emile Belcourt

    Hi Emile,

    Thanks for the reply

    I already had that thought, however, after rethinking and doing some more research I am not comfortable opening up proxy to the entire internet -  even with authentication enabled.  Support cautioned me against such a configuration, and other threads in the community basically emphatically state "Don't do it!" as even with authentication the UTM would start to come under siege with port 8080 connection attempts from all over the globe.

    (reference this thread:  Mobile devices and remote proxy

     

    Sophos support suggested their Mobile Control product, although it is a separate entity and apparently not controlled by the UTM.  I am looking into it.

  • 0 in reply to ErikWaibel

    Hi Erik,

    That would be best, what you could also do is set up the iPads to always be connected via the UTM by L2TP over IPSEC so they can access the proxy via a VPN, but SMC would be a far better and totalitarian option :)

    Glad you aren't making an Internet proxy, definitely not worth fighting off all the 8080 attempts!

    Emile

  • 0 in reply to ErikWaibel

    Agreed with Emile!

    I think I would configure Cisco, L2TP/IPsec and PPTP Remote Access, add the corresponding "VPN Pool" to the Profile for each level of student and then configure one of the three clients depending on the age group of the student.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML