Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 17221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Direct Proxy Mode

max power

 Hi everyone. 

 

In UTM 9, there was a way to set the web proxy to direct proxy mode, where clients would need to be configured explicitly. I understand that XG does not have this setting, and requires this to be handled in firewall rules. 

 

My question is, how is is possible to set up a client where I want to say, have only the Firefox browser connect through the web proxy (via the manual settings in firefox), and the OS to not connect through the web proxy.  This was possible by simply setting the UTM 9 to direct mode instead of transparent mode. In the XG firewall rules, it appears that for the clients, its all or nothing, since the firewall rules dictate how traffic is routed by IP address or port or user, for the entire device. 

 

Is there some way I can have JUST the web browsers on various devices pass through the proxy with and the general OS not pass through it? Android devices have issues with HTTPS scanning for some apps, but the web browser is fine. I am looking for a way to separate them.


Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    your proxy rule will need to be changed to allow only http and https through. Then another rule under the proxy rule to all other traffic without http or https scanning, no web or application rules.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

     

    Thanks for your reply. I had tried that and unfortunately it captures other traffic that uses http or https. For example, android phones for whatever reason will not work properly going through the proxy. The browser on android specifically, will work fine. 

     

    I think I may have found a solution. setting up a rule that allows ONLY port 3128 (the default proxy port) seems to be working. Anything that is set up to use the proxy goes through that rule and anything else bypasses it. 


    Does this make sense? it seems to be working. are http and https somehow encapsulated into port 3128 when using the proxy? 

  • 0 in reply to max power

    Hi Max,

    port 3128 only works a proxy if you have configured all your devices to use it otherwise the proxy is in transparent mode. The problem you have in setting the proxy on devices is when they are out in the wild, they don't use a proxy. You shouldn't need a rule for the proxy port, that basically means you are bypassing the proxy, depending on where your rule is in the hierarchy.

    My android tablet uses the web proxy as long as you have application scanning set to allow all. I do use clientless with static dhcp managed IP addresses to ensure the correct devices use the correct firewall rules.

    Ian

Reply
  • 0 in reply to max power

    Hi Max,

    port 3128 only works a proxy if you have configured all your devices to use it otherwise the proxy is in transparent mode. The problem you have in setting the proxy on devices is when they are out in the wild, they don't use a proxy. You shouldn't need a rule for the proxy port, that basically means you are bypassing the proxy, depending on where your rule is in the hierarchy.

    My android tablet uses the web proxy as long as you have application scanning set to allow all. I do use clientless with static dhcp managed IP addresses to ensure the correct devices use the correct firewall rules.

    Ian

Children
No Data