The Web Protection – Per-connection authentication Feature??

You cannot implement this kind of technique in the DPI Engine. DPI Engine works on the tcp/udp stream, Proxy (Auth with this kind of technique) is based on a Proxy. 

You cannot implement this kind of technique in the DPI Engine. DPI Engine works on the tcp/udp stream, Proxy (Auth with this kind of technique) is based on a Proxy. 

thanks, for that I assume you were thinking of this addition: -

Add X-Forwarded-For header to outgoing HTTP requests

This feature does mention it's for upstream proxy use.

What about this addition: -

Apply Microsoft Azure AD tenant restrictions

This was the feature I was thinking of which I should have mentioned above soz??  Wanted to see how this worked but being proxy only and not DPI I would need to clone or alter existing rules as nowadays I tend to use DPI only and very rarely use the older web proxy.

Those features are also bound to the legacy proxy. DPI does not work that way anymore, you cannot do this in a stream. 

Surely the web protection - Enforce Tenant Restrictions for O365 would also be beneficial on non-Legacy Web protection filters, especially seeing how Microsoft 365 / Azure traffic benefit's going through the DPI engine now??  I do not have enough knowledge of the packet flow through Sophos Firewall OS to have any say on this subject but surely at some point in time in the future the Legacy Web Proxy will be EOL right??  So, my point being will these Web Protection changes be applied to the DPI engine Web Protection at any time soon I.E. is this on the roadmap??

Going to try these Enforce Tenant Restrictions for O365 changes soon anyway it's just a pain having to create or modify Firewall rules to run with the Legacy Web proxy too??

But many thanks for your reply, its much appreciated as always!!!

Thanks

JK

There is no plan to EOL the web proxy.  v19 includes development of new features only available in the web proxy.


The DPI mode is "deep packet inspection" - it has the ability to watch traffic but if there is any attempt to modify traffic then then client/server detects it and complains.  DPI mode cannot add headers because that would change the size of the tcp/ip packet.

The traditional web proxy, on he other hand, has full ability to modify the traffic in flight, including changing headers.

The Tenant Restrictions for O365 is a feature provided by Microsoft that requires the XG to add a header to all requests.  Therefore it can only be done by the web proxy.


All web features within the XG that are available only by the web proxy are marked as such.  Those features cannot be supported in DPI due to technical limitations, not because we have not bothered to.