Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 985 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18 and direct proxy

Sophos User2126

Quick question, is there any news on the direct proxy issue in v18?
The KB article is almost a year old and there is still no solution than this workaround.

https://support.sophos.com/support/s/article/KB-000038109?language=en_US#related%20information



This thread was automatically locked due to age.
  • 0

    Hi,

    maybe this thread will answer your question.

    web proxy issues

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    thank you for your fast respond.
    It sounds progressive, but whether it also solves my problem, I can not clearly see.

  • 0 in reply to Sophos User2126

    There is another thread with similar but different issue that might be of interest to you.

    ian

  • 0

    Its not a workaround, it is the way it works.

    Think of it like this:

    When you are using the web proxy (regardless of whether it is direct or transparent) there are two TCP connections.  One goes from the client and is terminated at the XG.  The other starts at the XG and goes to the web server.  Because there are two connections, it flows through the firewall twice.

    In order for the web proxy to make an outgoing connection there must be a rule that allows port 80/443.  This is true for both direct and transparent.

    For transparent mode, the admin creates a firewall rule for LAN to WAN with 80/443.  So the proxy has no problem make a connection to WAN 443.

    For direct mode that deliberately does not allow transparent, there is no a rule for port 80/443.  So when the proxy tries to make a connection the firewall should prevent it.


    All firewalls have an implicit final Drop All rule.  In 17.5 this was not shown in the UI.  In 18.0 this is shown in the UI and made stricter (a good thing).

    In 17.5 the implicit Drop All was not applied to the traffic from the proxy itself - only if the admin created their own Drop All rule was it applied.  In 18.0 the stricter firewall applies the implicit Drop All to the traffic from the proxy itself.

    Therefore certain behavior in 17.5 that only occurred in some configurations now occurs all the time in 18.0 - because the new firewall is stricter about traffic generated from the box itself.

    So the system is behaving correctly - direct mode proxy traffic is blocked if the proxy is not permitted to make external 80/443 connections.
    But what if you want direct mode working?  You can either allow transparent mode as well or you can follow the KB.

    I will agree that the KB was originally written for 17.5 and needs updating.  But the process remains the same.  It is not a bug.