Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 28 subscribers
  • Views 5512 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

force traffic over webfilter process question, (simple I hope)

MattBowles

Ok so we have a client that has a barracuda 210 and they want all traffic to filter through it regardless of how it connects. I created the DHPC option and published a WPAD.dat but that is not working and barracuda is not very helpful. I was having a conversation with a senior engineer who suggested I can route traffic to it and allow only traffic from the filter out of the firewall. I'm not sure if that is possible. I was going to suggest simply putting the filter inline and physically connect the switch to the filter and the filter would connect to the firewall, but barracuda being the great product that it is has already shown to have issues after losing power. So we don't want the entire network dependent on that device.

 

With all that being said can I create a rule that says all outbound traffic from ip 192.168.0.20-254 go to 192.168.0.3 and all other traffic is allowed out? that way if there is an issue we can turn the rule off remotely.



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to MattBowles

    Matt,

    in order to get your Web Filter working for you users, you need to configure your computers to use it explicit (proxy settings on browsers), so computers redirect their web traffic to it.

    On XG side, you have to create a firewall rule where you allow http/https traffic only from the web filter to internet. For other traffic, like email, ftp, etc..your computers will use their default gateway, which I guess is XG so open the required ports for internal devices (not http and https).

    That's all.

Children
  • 0 in reply to lferrara

    That works and I can do that with GPO's however. They want ALL traffic. Guest traffic to go out through the filter. That solution is only viable for systems that I can touch which is why I would like to use the firewall to bounce all 80 and 443 traffic trying to leave back into the filter and only allow filtered traffic out. The reasoning is we can change the rule if something breaks and do not need to send someone on site to change the configuration. I was trying to do the DNS WPAD route and I got it working so it will had out the proxy info but nothing is using it and so I am looking at other routes.

  • 0 in reply to MattBowles

    HI Matt ,

    You may opt for an option for DNS failover between your Web Filter and XG appliance . So if by chance if your Mail server would fail then the health check would also fail and switch to XG . For this you may need to use domain Name that would link to your Web server as a Primary and XG as a Secondary .

    Make sure that the listening port is the same . I am not sure that you could do in Domain , but here is a third party application for the same.
    http://simplefailover.com/?source=gaw

  • 0 in reply to MattBowles

    It sounds like you have two problems.  Its better to tackle them seperately

    1) Configuring that Web traffic goes though the SFOS

    2) Enforcing that Web traffic cannot go out of your network any other way

     

    2) requires some network setup and is mostly firewall work

     

    1) Rather than using a GPO push, using WPAD is probably better.  Any browser that is configured to "automatically detect settings" should get the WPAD and use it.  If WPAD is not working, the first step is to determine if the browser is actually getting the file or not.  It would be useful to wireshark from the client to see if it retrieves the file.  If it does but still does not work, then look to see if the file is written correctly.