HowTo only allow proxied connections from lan to wan?

Why do you not want to use transparent proxy? 

Hi,

you don’t need the second item.

you will need to set firewall rule that has service as 8080 and enable the proxy by ticking allow all in the web setting. What do you expect port 8080 to connect to i internet? What security settings do you have in place?
ian

This is by company policy. Only correctly configured devices should have access. That's why transparent proxying is a no go.

At the moment I need the second item is needed for my testbed. At the moment all clients have free access and I need to deny access for this client for testing purposes.

That is somehow not reasonable. XG simply do not care, if the connection is 443 or 8080, it will inspect both connection.

Standard Proxy has many disadvantages compared to the DPI Engine. You cannot inspect TLS1.3, have to downgrade to TLS1.2, this opens a new security issue etc. 

"Correctly configured devices". Therefore if i know the proxy, this lifts a device to a correctly configured device? This is security by obscurity and in fact bad practice. 

Here is a screenshot of my settings regarding the client:

Basically I agree with you. I serves only as a basic filter for unknown/unconfigured devices.

I want all devices to connect to the proxy in a defined way and the proxy has to fetch http/https pages for the client. That way I don't have the problem of mitm proxy certificates.

The local traffic is unencrypted but in my use case this is no problem.

You will need a proxy pac to enforce your requirements.

ian

I use wpad to do the auto configuration of my proxy settings and I already have a working wpad.dat/proxy.pac file.

The first entry is meant to allow the clients to access the proxy on the Sohos. It is not meant to access anything on the internet.