Misc

The Web Protection > Filtering Options > Misc tab contains various other configuration options of the Web Filter such as caching, streaming, or port settings.

Misc Settings

Web filtering port: Here you can define the port number that the Web Filter will use for client requests. The default is 8080.

Note – This only applies if you do not operate the proxy in transparent mode.

Detect HTTP loopback: This option is enabled by default. Only disable HTTP Loopback detection if you have a DNAT rule where Sophos UTM on AWS is the original destination and the port is 80.

MIME blocking inspects HTTP body: Not only the HTTP header but also the HTTP body is checked for blocked MIME types. Note that turning on this feature may have a negative impact on performance.

Block unscannable and encrypted files: Select this option to block files that could not be scanned. The reason for that may be, among other things, that files are encrypted or corrupt. Files larger than 2 GB are unscannable.

Allowed target services: In the Allowed target services box you can select the target services the Web Filter should be allowed to access. The default setting consists of target services (ports) that are usually safe to connect to and which are typically used by browsers, namely HTTP (port 80), HTTPS (port 443), FTP (port 21), LDAP (port 389), LDAP-SSL (port 636), Web Filter (port 8080), UTM Spam Release (ports 3840-4840), and UTM WebAdmin (port 4444).

Default charset: This option affects how the proxy displays file names in the Download Manager window. URLs (and file names that they may reference) that are encoded in foreign charsets will be converted to UTF-8 from the charset specified here unless the server sends a different charset. If you are in a country or region that uses a double-byte charset, you should set this option to the "native" charset for that country or region.

Search domain: You can add an additional domain here, which will be searched when the first DNS lookup returns no result ("NXDOMAIN"). Then, a second DNS request is initiated which appends the domain given here to the original hostname. Example: A user enters http://wiki, meaning to address wiki.intranet.example.com. However, the URL can only be resolved when you enter intranet.example.com into the Search domain field.

Authentication timeout: This setting allows you to set the length of time (in seconds) that users can browse after logging in with browser mode authentication. If the users have a logout tab open, they can continue to browse without re-authenticating until that tab is closed, plus the authentication timeout.

This setting also allows you to set the length of time (in seconds) that a Block Override or a Warning Proceed lasts.

Authentication realm: The authentication realm is the name of the source which a browser displays along with the authentication request when the proxy works in Basic User Authentication mode. It defines the protection space according to RFC 2617. You can give any string here.

Transparent Mode Skiplist

Using this option is only meaningful if the Web Filter runs in transparent mode. Hosts and networks listed in the Skip transparent mode hosts/nets boxes will not be subject to the transparent interception of HTTP traffic. There is one box for source and one for destination hosts/networks. To allow HTTP traffic (without proxy) for these hosts and networks, select the Allow HTTP/S traffic for listed hosts/nets checkbox. If you do not select this checkbox, you must define specific firewall rules for the hosts and networks listed here.

Proxy Auto Configuration

The proxy auto configuration is a feature that enables you to centrally provide a proxy auto configuration file (PAC file) which can be fetched by browsers. The browsers will in turn configure their proxy settings according to the details outlined in the PAC file.

The PAC file is named wpad.dat, has the MIME type application/x-ns-proxy-autoconfig and will be provided by the UTM. It contains the information you enter into the text box, for example:

function FindProxyForURL(url, host)
{ return "PROXY proxy.example.com:8080; DIRECT"; }

The function above instructs the browser to redirect all page requests to the proxy of the server proxy.example.com on port 8080. If the proxy is not reachable, a direct connection to the Internet will be established.

The hostname can also be written as a variable called ${asg_hostname}. This is especially useful when you want to deploy the same PAC file to several Sophos UTM appliances using Sophos UTM Manager. The variable will then be instantiated with the hostname of the respective UTM. Using the variable in the example above would look like the following:

function FindProxyForURL(url, host)
{ return "PROXY ${asg_hostname}:8080; DIRECT"; }

To provide the PAC file for your network, you have the following possibilities:

URL Categorization Parent Proxy

Enter a proxy server for URL categorization lookups if you do not have direct internet access. This option is only available if you have endpoint protection enabled, or if you are doing local lookups. For local lookups, this option sets the proxy that will be used to download categorization updates to Sophos UTM on AWS.

Web Caching

Enable caching: When this option is enabled, the Web Filter keeps an on-disk object cache to speed up requests to frequently visited webpages.

Clear Cache: You can delete all cached pages by clicking Clear Cache.

Streaming Settings

Bypass content scanning for streaming content: When this option is active, typical audio and video streaming content (including range requests for that content) is not subject to content scanning. Disabling this option will effectively disable most media streams, since they cannot be scanned in a reasonable timeframe. It is therefore recommended to leave this option turned on.

Apple OpenDirectory Single Sign-On

When you are using Apple OpenDirectory SSO as authentication method, you need to upload a MAC OS X Single Sign-On Kerberos keyfile for authentication to work properly. Generate that keyfile and upload it by clicking the Folder icon. For more information on how to generate that keyfile, see the Kerberos documentation.

Certificate for End-User Pages

Sophos UTM on AWS uses HTTPS to provide user notification, perform browser authentication and secure other user interactions. By default, Sophos UTM on AWS uses an automatically generated certificate for these HTTPS connections. You can use this option to use a custom certificate for HTTPS pages that are presented to end users. To use your own custom certificate for these HTTPS connections, first upload it using Remote Access > Certificate Management > Certificates, then select it and update the settings here.

Note –The Hostname specified is the base domain for the certificate you are using. Sophos UTM on AWS will then prepend passthrough. or passthrough6. to that domain. The certificate must be valid for passthrough (and passthrough6) as a Common Name, Subject Alternate Name, or most commonly as a wildcard certificate, so you can prepend any host at the domain. In addition, you must set up DNS for passthrough and passthrough6 to external IP addresses. If you use Sophos UTM on AWS as your DNS server this is done automatically. By default, Sophos UTM on AWS uses the IP address 213.144.15.19. If you are using an alternate DNS server you must create those entries there.

Related Topics Link IconRelated Topics