Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 458 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upstream proxy questions

kerobra

I only found some 2-4 years old threads regarding the upstream proxy topic.

Tomorrow, we are going to deploy a Sophos XG cluster at a remote site behind some other corporate firewalls. The only way to the internet is by using a proxy server (on XGs WAN side). Does the "upstream proxy" cover the own (XG to WAN) requests (licensing, firmware, pattern) or is it only intended to be used as a "forwarder" for the web filter?

I only found some "maybes" and "as far as I remembers" here to that topic. In the official documentation it seems to me, that only the proxied (via XGs web filter) traffic is forwarded to the upstream proxy but not the "self-generated traffic":

  • When an upstream proxy is deployed on the internet, you must configure Sophos Firewall as a proxy server for the LAN users.
  • Sophos Firewall routes all outbound requests through the upstream proxy.

Can anyone give me some clarity here?

  • Is the upstream proxy also used by the XG firewall itself?
  • Does it make a difference which proxy mode is used (DPI engine vs. web proxy)
  • And is the central firewall management able to reach the XG in that type of scenario?


This thread was automatically locked due to age.
Parents
  • 0

    We are using the Upstream Proxy for every service and Web traffic.

    BTW: Please notice: DPI Engine (TLS Encryption) does not support Upstream Proxy - This kind of implementation cannot be installed. 

  • 0 in reply to LuCar Toni

    The firewall is now integrated.

    The systems "behind" the Sophos can communicate to the internet by using the upstream proxys IP+port in system settings. If I enable "upstream proxy" on the XG, it can't synchronize it's license, can't search for updates. The IT staff onsite temporarily allowed https outgoing so I was able to at least sync the license.

    Which logfiles could I check regarding the upstream proxy communication?

    Edit: the XG is using MASQ for outgoing traffic, so the internal networks are not known to the upstream proxy and are using the XGs WAN IP there, too. So it is no IP issue on the upstream proxy. Could the port (8002) maybe be a problem?

Reply
  • 0 in reply to LuCar Toni

    The firewall is now integrated.

    The systems "behind" the Sophos can communicate to the internet by using the upstream proxys IP+port in system settings. If I enable "upstream proxy" on the XG, it can't synchronize it's license, can't search for updates. The IT staff onsite temporarily allowed https outgoing so I was able to at least sync the license.

    Which logfiles could I check regarding the upstream proxy communication?

    Edit: the XG is using MASQ for outgoing traffic, so the internal networks are not known to the upstream proxy and are using the XGs WAN IP there, too. So it is no IP issue on the upstream proxy. Could the port (8002) maybe be a problem?

Children