How to connect to a parent proxy

You can connect Sophos XG Firewall to a parent proxy.

Introduction

In this workflow, the web traffic from your XG Firewall is redirected to an upstream device.

There are two methods for parent proxy deployment, one with the parent proxy deployed on the internet and the other with the parent proxy on the internal network. These are both covered in this workflow. Follow the instructions for the method that matches your deployment.

Connect to a parent proxy on the internet

When an upstream proxy is deployed on the internet, you must configure XG Firewall as a proxy server for the LAN users.

XG Firewall routes all outbound requests through the upstream proxy.


Diagram showing an upstream parent proxy on the internet

To connect to the proxy do as follows:

  1. Go to Routing > Upstream proxy.
  2. Turn on the parent proxy and specify the following settings:
    OptionDescription

    Domain name/IPv4 address

    203.1.23.5

    Port

    3128

    Username

    <Username to access parent proxy>

    Password

    <Password to access parent proxy>

    The following image shows example settings for the parent proxy.


    Screenshot showing example settings for a proxy server on the internet
  3. Click Apply.

Connect to an internal parent proxy

When an upstream proxy is deployed in the LAN or DMZ, you need to configure XG Firewall as a proxy server.

XG Firewall routes all the outbound requests through the upstream proxy.


Diagram showing an internal parent proxy

To connect to the proxy do as follows:

  1. Go to Routing > Upstream proxy.
  2. Turn on the parent proxy and specify the following settings:
    OptionDescription

    Domain name/IPv4 address

    192.168.1.10

    Port

    3128

    Username

    <Username to access parent proxy>

    Password

    <Password to access parent proxy>

    The following image shows example routing settings for the parent proxy.


    Screenshot showing example routing settings for an internal parent proxy
  3. Click Apply.
  4. Go to Firewall, click Add firewall rule and create a User/Network rule to allow traffic between internal hosts and the parent proxy, as follows.
    OptionDescription

    Rule name

    Enter a name.

    Rule position

    Bottom

    Action

    Accept

    Source

    LAN

    Source networks and devices

    Any

    During scheduled time

    All the time

    The image below shows example settings for the network rule.


    Screenshot showing example settings for the network rule
  5. Click Save.

If the Parent Proxy is deployed in the DMZ, create a user/network policy for DMZ-DMZ traffic.

  1. Go to Firewall, click Add firewall rule and create a User/Network rule to masquerade outgoing traffic, as follows.
    OptionDescription

    Rule name

    Enter a name.

    Rule position

    Bottom

    Action

    Accept

    Source

    LAN

    Source networks and devices

    Any

    During scheduled time

    All the time

    Destination zones

    WAN

    Destination networks

    Any

    Services

    Any

    The image below shows example settings for the DMZ network rule.


    Screenshot showing example settings for the DMZ rule.
  2. Set the following Advanced settings for the rule:
    OptionDescription

    NAT & Routing

    Rewrite source address (Masquerading)

    Use Outbound Address

    MASQ

    Primary gateway

    Enter the gateway.

    DSCP marking

    Select DSCP Marking

    The image below shows example settings for the DMZ network rule.


    Screenshot showing example Advanced settings for the DMZ rule
  3. Click Save.
  4. If the upstream proxy is deployed in the DMZ, create a user/network policy to masquerade outgoing traffic from DMZ to WAN.