Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 3570 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help needed on enforcing Web Protection for devices connected using a router with cable connect on its WAN

AlexAng

Hi,

We are using a Fully licensed UTM 9.4 .

The Web Protection we had configured is in transparent mode and the authentication mode is set to "agent" as we do not have a AD running.

The Web Protection works fine for the wired clients (if the agent is not running there will be an error on indicating "authentication failed" with or without proxy configured in the browser).

However we have an issue on the Wireless connected devices.

If we use the Sophos Wireless Access Point (e.g. AP 15) and configured it, the Web Protection will works fine too.

But if there is an end user comes plugging the LAN cable into the WAN port of his personal Router and connect his laptop WIFI throught it, the Web Protection will not works!

There isn't any errors indicated that an authentication is required.

I tried configuring the Proxy Auto Configuration under the Web Protection > Filtering Options > Misc to force the browsers to connect to the UTM as the Proxy. But it does not seems to work.

Please help.

Thanks

Alex



This thread was automatically locked due to age.
Parents
  • 0

     

    Hi, If I understand the network setup, the 3rd Party Router /AP is plugs the WAN port into your LOCAL LAN, and provides a NAT connectiont on it,s own WIFI LAN, and provides a "LOCAL" IP address from DHCP on its own WiFI LAN... most likely a 192.168.0.0/24 or 192.168.1.0/24.

     

    The WEB Security Filter is probably set to "Proxy" traffic from your "Allowed Networks" i.e  LAN only, and there is then a HTTP/HTTPS filter in place to allow "other non PROXY traffic out..?

     

    As a quick test, look at the PACKET filter log, and see if HTTP/HTTPS traffic is being prcessed from a Private LAN address probably 192.168.0.0/24 assuming domestic grade AP/Wifi.

     

    You could add 192.168.0.0/24 AND 192.168.1.0/24 TO the Proxy as this would then intercept obvious LAN addresses used on 3rd party AP's

     

    Also do you need to allow NON proxied HTTP/HTTPS out of the UTM Firewall ? if not disable that and then there is no security issue.

     

    As an aside why allow 3rd party Wifi on the network at all if you have a UTM AP15 ... can you create a HOTSPOT "Guest/Voucher" model .. depend on time & resources to manage of course...

  • 0 in reply to RufusToofus

    Hi,

    thanks for the suggestion. i think i roughly got the situation.

    it seems that the UTM recognize the IP of the router as authenticated user. this is due to 1 user connected via to the router ... got an agent running ... and thus other users that goes connected it. the UTM will recognize that connection from the router IP was authenticated as that user.... thus the rest of the users does not required to authenticate and can access the Internet.

    I got the information from the Log ... as i saw multiple web access of the same user ... even when the user is not surfing the web ...

    Moving forward... please advice where can i find the option  "other non PROXY traffic out"?

    As for "As an aside why allow 3rd party Wifi on the network at all if you have a UTM AP15 ... can you create a HOTSPOT "Guest/Voucher" model .. depend on time & resources to manage of course..." Yes we are very pleased with the Sophos AP. BUT some stubborn end users just sneak in their own router and plugged them in !!! although it had been reflected to our management, we are looking for a more solid solution.

    Thanks in advance.

  • 0 in reply to AlexAng

    Alex, the simple answer is that you must make the head of the organization aware of the problem.  A rule is needed that creates a consequence for employees that plug in their own router.  There's no technical solution for this problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to AlexAng

    Alex, the simple answer is that you must make the head of the organization aware of the problem.  A rule is needed that creates a consequence for employees that plug in their own router.  There's no technical solution for this problem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML