This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Security Appliance transparent mode

Hi All,

On page 9 of the SWA config guide (http://wsa.sophos.com/swa_docs/pdf/ws1000/SWAConfigGuide.pdf)  under point 3 it says “Configure your router so that it redirects all port 80 traffic to port 80 and port 443 traffic to port 443 on the Web Appliance.”

We mainly use Draytek or Watchguard devices which I don’’’’t think can do this but I’’’’d be interested in what routers can.

I'm sure Cisco routers have this option.

Sophos support answered with:

Unfortunately we don't have any information on which routers can perform this and how to configure them.
Its a pretty basic function though that should be available in some form in all routers.

Generally you would just need to set up a policy route for this type of traffic

Can anyone give examples of what routers can actually do this and an example config for them?

:53521


This thread was automatically locked due to age.
  • The transparent deployment mode  means that the appliance is set up in "dumb" mode.. It wont get traffic from your network, it must be directed to the appliance.. so what they are talking about is you will need to add a policy rule to your router to filter your network traffic, port 80 and 443 and direct it to the appliance for it to work.

    I only deal with asa's and dont have a clue about that router, but the esecence of the rule would be..

    rule examples,

    if traffic arrives from this network on port 80

    send it to the web appliance ip

    if traffic arrives from this network on port 443

    send it to the web appliance ip

    else send the traffic out the default gateway.

    these rules would be standard in any industry grade router, a typical home router would have some gui with pretty arrows or something like that.  best bet if your not sure how to create the rule would be to contact the router company and tell em you want to make those two rules,  and ask them for exact instructions.

    :53529
  • Thanks Red_warrior.

    I understand what is needed, I just have never seen this option on a router before.

    How would you do this on an ASA?

    :53531
  • Dear All,

    the fact that we have only one match on a keyword search "Watchguard" speaks volumes, anyway...

    On a XTM use the policy "http-proxy", in proxy-action, choose a client, then edit the proxy client settings. A new dialogue opens and in "use web cache server" you point to your WSA. Make sure you use port 3128 or 8081, not 80 .

    The additional ports (if not set) are found in WSA, network, advanced, down below (the page may be longer than your screen high).

    The alternative is (only with fireware pro) to try a policy base routing, as described by red-warrior

    Regards from Hamburg, DE

    :54873