Web Protection/Proxy GPO

You could also use the DHCP-Option for delivering the wpad.dat or configure your dns-servers to offer an wpad alias for the UTM.
With an easy change in DNS-Server (if windows) and a simple DNAT rule for accessing the UTMs wpad.dat you can then use the "autodetection" feature of the browsers.

Has its charms because you don't need GPOs for every browser. The usage of "system setting" (aka IE Proxy settings) sometimes makes trouble. Another advantage is the central management of the "bypass proxy for.."-thing.

You could also use the DHCP-Option for delivering the wpad.dat or configure your dns-servers to offer an wpad alias for the UTM.
With an easy change in DNS-Server (if windows) and a simple DNAT rule for accessing the UTMs wpad.dat you can then use the "autodetection" feature of the browsers.

Has its charms because you don't need GPOs for every browser. The usage of "system setting" (aka IE Proxy settings) sometimes makes trouble. Another advantage is the central management of the "bypass proxy for.."-thing.

Thanks for your reply and tips on deploying the Sophos as proxy.

Would be even necessary to have a proxy GPO if the gateway of all our servers is the Sophos and we have configured AD SSO for Web Filtering?

Many thanks

Not if you're using the proxy in transparent mode. If it's configured for standard mode, you need a way to tell the browser to use the proxy.

I have two configured, one transparent so that the 'guest network' wifi' surfs through it and is still protected (it has it's own DHCP scope and is segregated from the corporate LAN). Also one standard, so that devices on the corporate LAN receive DHCP option 252 pointing to the WPAD settings on the UTM

You can use the WPAD for static (server) configurations, too. Therefore you need to distribute a wpad.dat over a DNS record or simply point to the wpad.dat in the IE/browser configuration. If you want to use the wpad.dat of the utm via "auto detection" with windows dns servers you have to enable the distribution of the wpad.dat: https://technet.microsoft.com/de-de/library/cc995158.aspx

And then all you need is an additonal DNAT rule that changes "HTTP-traffic to your local utm interface (address)" to "HTTP Proxy-traffic to your local utm interface (address) as the wpad.dat is lying here: "http://lan-ip-of-your-utm:8080/wpad.dat". You can also simply configure that url on your server browsers.

 Your auto-configuration on the utm  (web protection/filtering options/misc) then could look like this:

The equivalent in "transparent mode" would be the "destination skip list, here all connections to hosts in networks listed above get the info to not being proxied (DIRECT), in any other case the proxy at 192.168.254 port 8080 should be used. These entries are working like the exceptions for proxy usage in browsers.

A record for a URL could look like this: shExpMatch(host, "www.your-domain.com") ||

Using the proxy auto configuration in combination with the dns wpad.dat makes the usage of a "standard mode" nearly feeling like a "transparent mode" (meaning the additional effort for configuration on the devices).

"Auto-detection of proxy settings" (which means search for wpad.dat in DNS) is default setting for IE browser, so no additional effort there.
Firefox has to be switched to that mode manually because it is per default using "use system settings", what in this case unfortunately doesn't work correct.