Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 834 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HowTo only allow proxied connections from lan to wan?

Alie2n

Hi,

I want to configure my policies in a way that only proxied connections are allowed from lan to wan. I don't want a transparent proxy.

I set up the proxy within my Sophos to accept connections on port 8080 from lan.

I set up a new policy group at the top with two rules:

  1. Allow traffic from lan to Sophos port 8080
  2. Reject all traffic from lan to wan

I setup a browser on my client to use the proxy on port 8080 on the Sophos.

I expected to be able to visit websites. I'm greeted with a webpage from the sophos proxy stating the the website cannot be reached.

If I add another policy allowin port 80 and 443 from lan to wan (as suggested by the docs) I can reach the websites without using a proxy. I did not find any documentation on how to achieve the wanted outcome.

Does anybody in the community have an idea what I did wrong?

Cheers,

Nicki



This thread was automatically locked due to age.
Parents
  • 0

    Why do you not want to use transparent proxy? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    This is by company policy. Only correctly configured devices should have access. That's why transparent proxying is a no go.

  • 0 in reply to Alie2n

    That is somehow not reasonable. XG simply do not care, if the connection is 443 or 8080, it will inspect both connection.

    Standard Proxy has many disadvantages compared to the DPI Engine. You cannot inspect TLS1.3, have to downgrade to TLS1.2, this opens a new security issue etc. 

    "Correctly configured devices". Therefore if i know the proxy, this lifts a device to a correctly configured device? This is security by obscurity and in fact bad practice. 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Alie2n

    That is somehow not reasonable. XG simply do not care, if the connection is 443 or 8080, it will inspect both connection.

    Standard Proxy has many disadvantages compared to the DPI Engine. You cannot inspect TLS1.3, have to downgrade to TLS1.2, this opens a new security issue etc. 

    "Correctly configured devices". Therefore if i know the proxy, this lifts a device to a correctly configured device? This is security by obscurity and in fact bad practice. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Basically I agree with you. I serves only as a basic filter for unknown/unconfigured devices.

    I want all devices to connect to the proxy in a defined way and the proxy has to fetch http/https pages for the client. That way I don't have the problem of mitm proxy certificates.

    The local traffic is unencrypted but in my use case this is no problem.

  • 0 in reply to Alie2n

    You will need a proxy pac to enforce your requirements.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I use wpad to do the auto configuration of my proxy settings and I already have a working wpad.dat/proxy.pac file.

  • 0 in reply to Alie2n

    You can handle Decryption on a profile level in DPI as well without the separation.

    Currently i do not see any use case of using a Standard proxy mode only. 

    It is currently not possible in XG to build such a deployment and i do not get any use case scenario, why somebody would do this. 

    The transparent mode (standard + transparent) in DPI is the better approach with more advantages compared to a standard proxy mode only. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I tried to establish a configuration with dpi and transparent mode. I can surf the web just fine, no issues there, but when I try to download malware (like e.g. the eicar testfile from https://secure.eicar.org/eicar.com it does not get blocked even though the settings seem to be just right:

    Rule:

    Details:

    Web policy:

  • 0 in reply to Alie2n

    Check the certificate of the website: Is it the CA of Sophos? 

    If not, you are not doing DPI inspection. 

    __________________________________________________________________________________________________________________

Cookie Information Banner