Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 17225 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Direct Proxy Mode

max power

 Hi everyone. 

 

In UTM 9, there was a way to set the web proxy to direct proxy mode, where clients would need to be configured explicitly. I understand that XG does not have this setting, and requires this to be handled in firewall rules. 

 

My question is, how is is possible to set up a client where I want to say, have only the Firefox browser connect through the web proxy (via the manual settings in firefox), and the OS to not connect through the web proxy.  This was possible by simply setting the UTM 9 to direct mode instead of transparent mode. In the XG firewall rules, it appears that for the clients, its all or nothing, since the firewall rules dictate how traffic is routed by IP address or port or user, for the entire device. 

 

Is there some way I can have JUST the web browsers on various devices pass through the proxy with and the general OS not pass through it? Android devices have issues with HTTPS scanning for some apps, but the web browser is fine. I am looking for a way to separate them.


Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    your proxy rule will need to be changed to allow only http and https through. Then another rule under the proxy rule to all other traffic without http or https scanning, no web or application rules.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

     

    Thanks for your reply. I had tried that and unfortunately it captures other traffic that uses http or https. For example, android phones for whatever reason will not work properly going through the proxy. The browser on android specifically, will work fine. 

     

    I think I may have found a solution. setting up a rule that allows ONLY port 3128 (the default proxy port) seems to be working. Anything that is set up to use the proxy goes through that rule and anything else bypasses it. 


    Does this make sense? it seems to be working. are http and https somehow encapsulated into port 3128 when using the proxy? 

  • 0 in reply to max power

    Hi Max,

    port 3128 only works a proxy if you have configured all your devices to use it otherwise the proxy is in transparent mode. The problem you have in setting the proxy on devices is when they are out in the wild, they don't use a proxy. You shouldn't need a rule for the proxy port, that basically means you are bypassing the proxy, depending on where your rule is in the hierarchy.

    My android tablet uses the web proxy as long as you have application scanning set to allow all. I do use clientless with static dhcp managed IP addresses to ensure the correct devices use the correct firewall rules.

    Ian

  • 0 in reply to max power

    Max,

    did you have a look at this kb?

    https://community.sophos.com/kb/en-us/125585

    80,443 and 3128 are required in the Firewall rule.

    Regards

  • 0 in reply to lferrara

    Hi guys. Thanks again for the responses.

     

    I did have a look at that KB article. The one thing that is confusing me is that if I have a rule that contains both ports 80 and 443, doesn't this become a transparent proxy instead of a direct proxy? If I have a rule that has 80, 443, and 3128, the firewall matches http and https traffic even from clients that do not have browsers configured (manually in browser settings) to use the proxy.

    Right now I have a rule , 2nd from the bottom, which accepts only port 3128. So, any client configured to use the proxy on port 3128 matches that rule. Any client that doesn't have the proxy configured skips that rule and goes on to the last/bottom rule which allows all traffic (and does not scan https). This seems to be working. For example on Windows 10, I can have Firefox only using the proxy (matching the 2nd rule from the bottom), and the rest of the OS (outlook, etc) matching the bottom rule (no https scanning).

    Ian's point regarding the android devices being out in the wild without the proxy makes sense. There may not be much benefit jumping through hoops to scan https on android devices.

     

    So I guess to summarize my point, the KB article directions seem to create a transparent proxy rather than a direct proxy (one that requires client configuration)

  • 0 in reply to max power

    Hi,

     

    You are correct in certain points.

    Its possible to build up a direct proxy policy like in UTM with only 3128. And you also build a hybrid proxy with 3128/443/80.

    But it can get a little bit messy, if you don´t use 443/80 in this policy, because other policy with 443/80 can affect the outbound connection. That is the reason for using 443/80 in the KBA.

    To be honest, on UTM, the transparent proxy also picks up 3128 / 8080.

    On XG, there shouldn´t be the limitation of the transparent proxy like on UTM. https://community.sophos.com/kb/en-us/120666

     

    Cheers

Reply
  • 0 in reply to max power

    Hi,

     

    You are correct in certain points.

    Its possible to build up a direct proxy policy like in UTM with only 3128. And you also build a hybrid proxy with 3128/443/80.

    But it can get a little bit messy, if you don´t use 443/80 in this policy, because other policy with 443/80 can affect the outbound connection. That is the reason for using 443/80 in the KBA.

    To be honest, on UTM, the transparent proxy also picks up 3128 / 8080.

    On XG, there shouldn´t be the limitation of the transparent proxy like on UTM. https://community.sophos.com/kb/en-us/120666

     

    Cheers

Children