Help needed on enforcing Web Protection for devices connected using a router with cable connect on its WAN

Question

Hi, 
 We are using a Fully licensed UTM 9.4 . 
 The Web Protection we had configured is in transparent mode and the authentication mode is set to "agent" as we do not have a AD running. 
 The Web Protection works fine for the wired clients (if the agent is not running there will be an error on indicating "authentication failed" with or without proxy configured in the browser). 
 However we have an issue on the Wireless connected devices. 
 If we use the Sophos Wireless Access Point (e.g. AP 15) and configured it, the Web Protection will works fine too. 
 But if there is an end user comes plugging the LAN cable into the WAN port of his personal Router and connect his laptop WIFI throught it, the Web Protection will not works! 
 There isn't any errors indicated that an authentication is required. 
 I tried configuring the Proxy Auto Configuration under the Web Protection > Filtering Options > Misc to force the browsers to connect to the UTM as the Proxy. But it does not seems to work. 
 Please help. 
 Thanks 
 Alex

RufusToofus · Answer

Hi, If I understand the network setup, the 3rd Party Router /AP is plugs the WAN port into your LOCAL LAN, and provides a NAT connectiont on it,s own WIFI LAN, and provides a "LOCAL" IP address from DHCP on its own WiFI LAN... most likely a 192.168.0.0/24 or 192.168.1.0/24. 
 
 The WEB Security Filter is probably set to "Proxy" traffic from your "Allowed Networks" i.e LAN only, and there is then a HTTP/HTTPS filter in place to allow "other non PROXY traffic out..? 
 
 As a quick test, look at the PACKET filter log, and see if HTTP/HTTPS traffic is being prcessed from a Private LAN address probably 192.168.0.0/24 assuming domestic grade AP/Wifi. 
 
 You could add 192.168.0.0/24 AND 192.168.1.0/24 TO the Proxy as this would then intercept obvious LAN addresses used on 3rd party AP's 
 
 Also do you need to allow NON proxied HTTP/HTTPS out of the UTM Firewall ? if not disable that and then there is no security issue. 
 
 As an aside why allow 3rd party Wifi on the network at all if you have a UTM AP15 ... can you create a HOTSPOT "Guest/Voucher" model .. depend on time & resources to manage of course...

BAlfson · Answer

Alex, the simple answer is that you must make the head of the organization aware of the problem. A rule is needed that creates a consequence for employees that plug in their own router. There's no technical solution for this problem. 
 Cheers - Bob