Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do I really need XG running as an internet proxy if...

Robert Russom

I know, a fairly subjective question.

If I'm running Sophos Central with full Intercept X, EDR, and Web Control setup, along another brand next-gen firewall with IPS, geo-location blocking, inline malware detection, and category/reputation blocking, do I really gain anything running an XG as a dedicated internet proxy? I deploy with a proxy.pac file, my bypass list is a mile long, getting longer all the time, and still somethings don't work like they should.

Thanks in advance for any opinions.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    I would suspect you have a configuration issue if your exception list is growing? Are you sure it is the web proxy and not ssl/tls scanning (DPI)?

    Ian

  • 0 in reply to rfcat_vk

    Ian,

    That's very well possible. We have a number of custom apps and that don't respond well to their traffic being proxied, as well your standard O365, WebEx, etc traffic that's best not going through one, either. The later I bypass by category in "Web\Exceptions". I have "Decrypt and scan HTTPS" on for all policies, and the exception list in "Web\Exceptions" configured by address or IP for anything custom. I've got the cert pushed out to all of my machines. 

    Of course, I guess i could ask why decrypt https at all if I'm asking about not using XG, right? 

  • 0 in reply to Robert Russom

    Hi,

    the decision is all about security. The level of security is usually a company policy.

    1/. you need to determine which applications need to be decrypted and scanned

    2/. which applications fail scanning and you can manage the risk.

    3/. you probably should look at setting up specific rules for some of the more troublesome applications with their own policies. Somemight work with SSL/TLS snd others might work with the web proxy.

    In my opinion using the SSL/TLS scanning with exceptions defeats the security purpose of scanning, so you need to work through what you trust and don't trust.

    Ian

Reply
  • 0 in reply to Robert Russom

    Hi,

    the decision is all about security. The level of security is usually a company policy.

    1/. you need to determine which applications need to be decrypted and scanned

    2/. which applications fail scanning and you can manage the risk.

    3/. you probably should look at setting up specific rules for some of the more troublesome applications with their own policies. Somemight work with SSL/TLS snd others might work with the web proxy.

    In my opinion using the SSL/TLS scanning with exceptions defeats the security purpose of scanning, so you need to work through what you trust and don't trust.

    Ian

Children
No Data