Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 0 subscribers
  • Views 11950 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WS500 explicit to transparent

NikHall

Hi folks,

I am pondering going to transparent mode for my deployment despite the fact that explicit works so well.  The problem I have is guest internet use on site and an ever increasing population of iPhones/iPads/Android devices etc.  With the non PC devices its getting harder and harder to manager auto configuration of internet access.

We are only an SME and the router/firewall we have (draytek 2820) doesnt support forwarding port 80 traffic internally.

Does anyone have any thoughts on deployment; although I feel transparent is most appealing at the moment.

Plus some reccomendations on a suitable router/firewall for transparent mode would be brilliant.

Hope you can all offer some assitance.

Thanks,

 Nik

:24787


This thread was automatically locked due to age.
  • 0

    Hi Nik,

    It sounds like transparent would be a good bet if you want to make sure these devices are filtered.  Nowadays there aren't that many drawbacks to Transparent mode.  The main considerations are:

    - Individual user opt-out is harder to configure if you want to completely bypass the proxy.  This would need to be done on the router

    - Individual website opt-out is harder to configure if you want to completely bypass the proxy.  This would need to be done on the router

    - You can't use "Authenticate all requests" so some caching of Authentication is done.  This shouldn't be a concern unless you are using computers with multiple logged on users such as Citrix/Terminal servers

    - It may not be possible to configure load-balancing or failover unless you have a seperate load balancing solution (like wccp).

    I'm sure others will be able to help suggest which Routers' they use.  When choosing you might want to take the above into account .

    If your appliance has a bridge card you could also think about bridged mode.  This operates much the same as transparent but you wouldn't need to configure the Router.

    Thanks,

    Tom.

    :24805
  • 0
    Thanks for the reply Tom. I actually now have a spare Ws500 so might be able to use one in explicit and one in transparent? Just a thought.

    Router / Firewall suggestion is now the only tricky bit. I have a network specialist from my supplier calling tomorrow so hopefully I'll get a good pointer. I will post back when I have more info.

    Nik
    :24837
  • 0

    I can't really help with specific Router recommendations, but the router needs to be capable of policy routing.  You could consider our own Astaro Security Gateway (a Sophos company).  The screenshots here shows how you can easily set up a policy routing rule:

    http://www.sophos.com/en-us/support/knowledgebase/114061.aspx

    Depending on what your goals are you could have 1xTransparent Appliance and 1xExplicit (The explicit appliance should be exempt from the policy routing rule).  This would allow you to use the explicit appliance as a backup if necessary, or to run some specific traffic therefore reducing load on the transparent device.

    Note that a Web appliance in transparent mode can still be used explicitly if you need to.  Eg. you can still put HOSTNAME:8080 in your proxy settings and it works fine.

    Best of luck picking out hardware - hopefully others on the forum can give some pointers too!

    Tom.

    :24849
  • 0

    This is how we have it setup in our organization. I have two ws1100's setup using transparent mode (WCCP) for filtering our workstations and other standalone devices on the network. I also have a VM web appliance that I do explicit proxy for our Citrix environment. To avoid doublefiltering and other unknown issues, we bypass the VM appliance from being ridirected through WCCP. 

    :25209