This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I set http proxy settings in the client config file prior to user install?

Hi All,

I'm using a Sophos UTM 9 [fw v9.352-6].

We have a DMZ proxy that we'd like our SSL-VPN pool of IP addresses to use in a closed SSL-VPN tunnel setup. I've successfully tested the closed tunnel and verified routing works as intended, but our DMZ firewall only accepts outbound connections from our DMZ proxy IP address.

I see in the OpenVPN wiki you can set a parameter called "http-proxy" in the config file, which appears to set the proxy settings once the VPN tunnel is established.

I also found the client config file template the packages use [/var/sec/chroot-openvpn/etc/openvpn/client/config-default]. In that file, I see a variable for "[<HTTP_PROXY>]" which probably references what you would normally set in the Network Protection > Advanced > Generic Proxy area. However, I'd like to set that parameter to use a different proxy instead of the Sophos itself.

My question is, if I do this, would my goal work as intended?

Thank you,

Matthew

This thread was automatically locked due to age.

0 Scott_Klassen over 9 years ago

By closed tunnel, do you mean a Full Tunnel (all traffic from the client must go through the UTM)?

Firstly, to let you know, modifications done at the backend are unsupported and will void your support if you have a paid license.

That being said, it might work. Depends if configuration changes to the OpenVPN server config need to be made as well. If we're good there, then you may need to create a policy route for the traffic to the proxy server. May also need natting, depending on your network configuration.

Another option would be to use the UTM Web Proxy with the VPN clients having their own Profile and setting parent proxy in the Filter Action used.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 MatthewMatchen over 9 years ago in reply to Scott_Klassen

Hi Scott,

Thanks for your response. I did read that backend mods would void any support, but thank you for the reminder.

And yes, by closed tunnel I mean full tunnel. I was able to achieve success with the full tunnel setup to include the routing to have the packets flow as intended, but the challenge I'm now facing is how to direct VPN user traffic to a non-Sophos proxy in the most automated way possible.

I was successful in being able to proxy myself explicitly, but the proxy in this scenario is positioned out-of-path, so the only mechanisms I can think to direct traffic over to it without modifying the OpenVPN client config would be: (1) PAC file, (2) manual user configuration, or (3) a policy-based route provisioned by the UTM.

I know this is in unsupported territory and theory-based discussion, so thank you for engaging in the discussion. I'd be interested if you have further thoughts on this front.

Kind Regards,

Matthew
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to MatthewMatchen

Hi, Matthew, and welcome to the UTM Community!

Your topology is not clear to me. Does the UTM have a direct connection into the DMZ with the DMZ firewall supplying the DMZ's connection to the Internet, or is the DMZ firewall between the UTM and the DMZ?

Assuming that it's the former (a direct connection), the easiest would be Scott's suggestion to use a UTM Web Filter Profile woth "VPN Pool (SSL)" alone in 'Allowed Networks' and a Filter Action that uses a Parent Proxy with * (all) in 'Use Proxy for These Hosts' sending the traffic to your DMZ proxy.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel