Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 2537 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transparent web proxy for browsing traffic only

PascalDeck

 Hello,

I tried to find a solution to proxy HTTP/S traffic coming from web browser only AND without user authentication.

All other HTTP/S traffic coming from other app from the same hosts not need to be proxized.

I found several information in  KB 125585, 132117 and other information in community but without success.

Please, can someone help me and tell me which configuration do please?

Thanks for your help.

Best regards.



This thread was automatically locked due to age.
  • 0

    Could you please tell us the use case? 

     

    You could easily setup a authentication rule on top, with all your AD Authentication Users, without Proxy and a LAN to WAN Rule below this with Proxy enabled.

    But you wont get the "User-Agent" Flag, this is currently not in XG right now (https://en.wikipedia.org/wiki/User_agent)

  • 0 in reply to LuCar Toni

    Hello,

    Thank you for the feedback.
    Currently the proxy in transparent mode is used. This is a problem for many business applications that use HTTPS or 443. Too many exceptions and big difficulties in defining them.

    To avoid blocking users, the idea is that, at first, only Internet browsing is HTTP/S scanned.

    I try using the direct mode in the browser configuration but without success.
    I need help to know exactly how to configure Sophos XG Please.

  • 0 in reply to PascalDeck

    Hi,

    sounds like you haven't installed the XG CA on the PCs.

    Ian

  • 0 in reply to rfcat_vk

    Hello,

    Yes needed certificates are installed and browsing works in transparent mode.

    Best regards

  • 0 in reply to PascalDeck

    Hello,

    After configuring a WPAD.dat file for allowing automatic configuration of browsers, I added the following rule at the top of the list:

    Source zones: LAN
    Source networks: Any
    Destination zones: WAN
    Destination networks: #Port9.157 which is the inside interface
    Services: Proxy-TCP-8080 which is the web proxy port configured in section Web > General Settings > Web proxy configuration

    Enabled the HTTP/S scan as follow

    and applied a Web policy.

    In this way, only the HTTP/S sessions coming from the browsers are scanned and the other cases are addressed by the standard outgoing authorization rule.