Web appliance deployment

I can give a few thoughts regarding our deployment about a year ago.

We use the explicity deployment with a proxy.pac file on one of our internal servers.

-If you have users who are going to have laptops that you want filtered while they are at work, and not filtered when they go home this can make a difference on what you decide.  For this we use a proxy.pac file, so that we can explicitly filter our users while at work, but also allow them to use their laptops on their home networks.

-If you decide to do bridged mode, or essentially a cable force-through you will create a single point of failuer, which isnt reccommended. Also, depending on what applications you use, some odd ones will not play nice with the gateway, so having a method to bypass the gateway altogether is nice in those situations, especially for troubleshooting.

-We don't use Chrome, but I have tested it and it worked fine with our appliance.

Hi moramoga,

The good news is that Active Directory is supported in all 3 modes :)

So the mode to choose will really depend on your preference.

Transparent / Bridge deployments allow you to ensure all http/https traffic is filtered without having to setup any proxy settings.   As jdobbins88 mentioned, there are a couple of considerations to make:

• This removes the option to configure load-balancing or failover.  All traffic will go through one appliance.  (Although, in bridge mode traffic will continue unfiltered if the appliance does fail).
• It is more difficult to completely bypass the appliance for a specific application/site

Explicit mode is more of a traditional proxy setup.  It requires that proxy settings or a proxy.pac/wpad.dat file is configured on all clients.  These can usually be distributed by group policy etc.  Using methods like a proxy.pac file you can also easily configure load balancing and failover. 

The main drawback is distributing these proxy settings to all clients - It will be more difficult to ensure guests/roaming users can access the web without proxy configuration.

Hope this helps,  let me know if you have any more questions on a particular mode.

Tom.

Hi Tom,

Awesome feedback!

I am still debating about which method to use, because its a bit of a turnoff to setup the proxy in every pc. I think I will ask how many PC'sthe applaicne will be filtering, and I will make a choice based on that.

Which is the easiest way to distribute the proxy pac? AD?

Sergio

Hi Sergio,

Sounds like a good plan.  The choice will largely depend on how many devices they have, and whether the devices are just PCs on the domain or not. 

Proxy.pac is only really useful if you need lots of control over load-balancing / failover, or using different proxies for different sites.  For a smaller deployment it would probably be better just to set up normal proxy settings in IE.

More information on configuring browsers is here:

http://www.sophos.com/support/knowledgebase/article/38779.html

Either way, the best way to distribute a proxy.pac, or normal proxy settings would be AD / group policy.  This KB also links to a quick example on how to set up proxy settings via group policy.  If all clients are PCs on the domain this should be a fairly simple process. 

Best of luck!

Tom.