Sophos UTM 9.4 question

Hi Stephen.

AFAIK, transparent mode captures HTTP and HTTPS packets and diverts it to the proxy automatically. On Standard mode you need to tell your endpoint to connect through a proxy by using wpad.dat (automatic proxy configuration) or manual proxy configuration, otherwise machines will not "know" they need to authenticate to a proxy and will fall into the default web protection policy. 

Back in the day, transparent proxy was only available with Browser on Agent authentication due to the way endpoints handles proxy authentication, so the only way to have AD SSO was to use standard mode. Sophos then introduced Transparent AD SSO as a way for having the best of both worlds: a proxy on which no endpoint configuration is required AND works with AD SSO. It has some caveats during setup, but once it's working, it's beautiful.

As for your question, both modes will provide you Web Protection reporting with usernames instead of IP addresses. If you manage to setup Transparent AD SSO, I'd stick with that. It's a bit tougher to get it working, but it will save you a lot of issues and effort in the future.

If you are looking for a layer 8 experience, you should check STAS: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/STAS_manual-en.pdf?la=en. I'm still testing it on my lab and it still has some issues but, for the long run, it should make any sysadmin life a lot easier. In a nutshell, with STAS you would not need to worry about authentication anymore, since it would authenticate users using their logon information on the Domain Controller AND you would be able to create firewall, QOS and application control rules based on usernames instead of IPs, as the agent would also match usernames to their endpoint IP addresses. 

Regards - Giovani

Hi Stephen.

AFAIK, transparent mode captures HTTP and HTTPS packets and diverts it to the proxy automatically. On Standard mode you need to tell your endpoint to connect through a proxy by using wpad.dat (automatic proxy configuration) or manual proxy configuration, otherwise machines will not "know" they need to authenticate to a proxy and will fall into the default web protection policy. 

Back in the day, transparent proxy was only available with Browser on Agent authentication due to the way endpoints handles proxy authentication, so the only way to have AD SSO was to use standard mode. Sophos then introduced Transparent AD SSO as a way for having the best of both worlds: a proxy on which no endpoint configuration is required AND works with AD SSO. It has some caveats during setup, but once it's working, it's beautiful.

As for your question, both modes will provide you Web Protection reporting with usernames instead of IP addresses. If you manage to setup Transparent AD SSO, I'd stick with that. It's a bit tougher to get it working, but it will save you a lot of issues and effort in the future.

If you are looking for a layer 8 experience, you should check STAS: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/STAS_manual-en.pdf?la=en. I'm still testing it on my lab and it still has some issues but, for the long run, it should make any sysadmin life a lot easier. In a nutshell, with STAS you would not need to worry about authentication anymore, since it would authenticate users using their logon information on the Domain Controller AND you would be able to create firewall, QOS and application control rules based on usernames instead of IPs, as the agent would also match usernames to their endpoint IP addresses. 

Regards - Giovani

Thanks for the reply, it was very helpful :)