Send web requests through an upstream proxy in LAN

You can configure Sophos Firewall to send all web requests to the external network through an upstream proxy in the LAN or DMZ.

Connect Sophos Firewall to the upstream proxy in LAN

In this example, the upstream proxy is in the LAN zone. The network details are as follows:

Upstream proxy's IP address: 192.168.1.10

WAN IP address of Sophos Firewall: 203.0.113.1

When you deploy an upstream proxy in the LAN or DMZ, you must configure Sophos Firewall as a proxy server.


Diagram showing upstream proxy in the LAN zone

You must configure the following:

  1. Adding the upstream proxy to Sophos Firewall.
  2. Firewall rule for web filtering and scanning in web proxy mode.
  3. Firewall rule to allow traffic from internal users to the upstream proxy.
  4. Source NAT rule to masquerade traffic from internal users to the upstream proxy.
  5. Firewall rule to allow traffic from the upstream proxy to the internet.

Add the upstream proxy to Sophos Firewall

Add the upstream proxy to Sophos Firewall and enter the credentials if the proxy requires authentication.
  1. Go to Routing > Upstream proxy.
  2. Select Parent proxy.
  3. Enter the upstream proxy's IP address (example: 192.168.1.10).
  4. Enter the port number the upstream proxy receives web traffic on (example: 3128).
  5. Enter the username and password if the upstream proxy requires authentication.

    Here's an example:


    Example settings to add a proxy server
  6. Click Apply.

Create a firewall rule to scan web traffic

Create a firewall rule to scan and allow traffic between the internal users and WAN.
  1. Go to Rules and policies, click Add firewall rule > New firewall rule.
  2. Set Source zones to LAN and Wi-Fi.
  3. Set Source networks and devices to Any.
  4. Set Destination zones to WAN.
  5. Set Destination networks to Any.

    Here's an example:


    Firewall rule to allow traffic from LAN to WAN
  6. Select Scan HTTP and decrypted HTTPS and Use web proxy instead of DPI engine.

    Select scanning and web proxy in the firewall rule
  7. Click Save.

Create a firewall rule to allow internal traffic to the upstream proxy

Create a firewall rule to allow traffic from the internal users to the upstream proxy in the LAN zone.
  1. Go to Rules and policies, click Add firewall rule > New firewall rule.
  2. Set Source zones to LAN and Wi-Fi.
  3. Set Source networks and devices to Any.
  4. Set Destination zones to LAN since the upstream proxy is in the LAN zone.

    If the upstream proxy is in the DMZ, set Destination zones to DMZ.

  5. Set Destination networks to the IP host you create for the upstream proxy.

    Here's an example:


    Firewall rule to allow LAN and Wi-Fi traffic to upstream proxy in LAN
  6. Click Save.

Create an SNAT rule for internal users

Create a source NAT rule to masquerade web requests from internal users to the upstream proxy.
  1. Go to Rules and policies, click NAT rules > Add NAT rule.
  2. Set Original source to Any.
  3. Set Translated source (SNAT) to MASQ.
  4. Set Original destination to the IP host you've created for the upstream proxy.
  5. Set Translated destination (DNAT) to Original.

    Here's an example:


    Source NAT rule to translate traffic from internal network to upstream proxy
  6. Click Save.

Create firewall rule to allow traffic from the upstream proxy to WAN

Create a firewall rule to allow traffic from the upstream proxy in the LAN zone to WAN.
  1. Go to Rules and policies, click Add firewall rule > New firewall rule.
  2. Set Source zones to LAN.

    Alternatively, select DMZ if the upstream proxy is in the DMZ.

  3. Set Source networks and devices to the IP host you create for the upstream proxy.
  4. Set Destination zones to WAN.

    Additionally, select DMZ if you want to allow traffic from the upstream proxy to your web servers in the DMZ.

  5. Set Destination networks to Any.

    Here's an example:


    Firewall rule to allow traffic from the upstream proxy in the LAN to WAN
  6. Make sure Web policy is set to None, and don't select the Malware and content scanning settings.
  7. Select a Detect and prevent exploits (IPS) policy if you want.
  8. Click Save.
  9. Drag and drop this rule on the firewall rule list to place it above rules with matching source and destination settings and web proxy mode.

The default SNAT rule (Default SNAT IPv4) at the bottom of the NAT rule list masquerades the private IP address of the upstream proxy for traffic to the WAN zone. The masquerade applies to the upstream proxy in the LAN and DMZ. If you want to specify different translation settings, create an SNAT rule.