Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1462 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

7.50X HTTP proxy blocking traffic

tdutrieux
Hello,

I just want to try using the Web proxy from an external (public address). Here's the setup :

Client (public IP) ---TCP 22---> External Astaro IP ---> NAT to Internal Astaro IP (TCP 8080).

Proxy configured on client is external astaro IP port 22.

I get the following message on the client :

"Astaro Security Gateway Version 7
An error occurred while handling your request
While trying to retrieve the URL: http://www.google.be/
Error message: Received invalid request from client
Your cache administrator is:
admin@localhost

Powered by Astaro"

And in the Astaro web proxy log :
2009:10:29-08:26:30 astaro httpproxy[4217]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="PUBLIC IP" user="" statuscode="400" cached="0" profile=" ()" filteraction=" ()" size="2185" time="0 ms" request="0x808a098" url="www.google.be/" exceptions="" error=""

Any idea what happens ?

Kind regards,
Thibault


This thread was automatically locked due to age.
  • 0
    Have you added the public IP of the external client to the list of 'Allowed networks' in the HTTP/S Proxy?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Yes, I did it !

    KR,
    Thibault
  • 0
    This is an interesting experiment!

    I think a VPN approach would be the "standard" way to channel a remote user through the Astaro HTTP Proxy, but it seems like your idea should work.

    I haven't tried it, but if the Proxy is in Transparent mode, try leaving only "Internal (Network)" in 'Allowed networks', then change the NAT to '[Remote IP] -> [port 22] -> External (Address) : SNAT HTTP from Internal (Address)'.  The Intrusion Prevention System might complain about that, so you might need to disable a rule or add an exception.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello,
    I don't want want use VPN beacause I don't want to have a connection open all the time just for using the proxy. BTW, the proxy mode is "basic with authentication" and the IPS is not enabled. Oh yeah, that setup worked with pfsense configured the same way...

    Why do you think SNAT should work ?

    KR,
    Thibault
  • 0
    SNAT might work in transparent mode because the Proxy captures port 80 traffic.  Like I said, it's an experiment.  I wouldn't recommend anything other than 'Remote Access' because I don't like to open inbound ports.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA