Misc

The Web Protection > Filtering Options > Misc tab contains various other configuration options of the Web Filter such as caching, streaming, or port settings.

Misc Settings

Web filtering port: Here you can define the port number that the Web Filter will use for client requests. The default is 8080.

Note – This only applies if you do not operate the proxy in transparent mode.

Detect HTTP loopback: This option is enabled by default. Only disable HTTP Loopback detection if you have a DNAT rule where Sophos UTM is the original destination and the port is 80.

MIME blocking inspects HTTP body: Not only the HTTP header but also the HTTP body is checked for blocked MIMEMultipurpose Internet Mail Extensions types. Note that turning on this feature may have a negative impact on performance.

Block unscannable and encrypted files: Select this option to block files that could not be scanned. The reason for that may be, among other things, that files are encrypted or corrupt. Files larger than 2 GB are unscannable.

Allowed target services: In the Allowed target services box you can select the target services the Web Filter should be allowed to access. The default setting consists of target services (ports) that are usually safe to connect to and which are typically used by browsers, namely HTTP (port 80), HTTPS (port 443), FTP (port 21), LDAP (port 389), LDAP-SSL (port 636), Web Filter (port 8080), UTM Spam Release (ports 3840-4840), and UTM WebAdmin (port 4444).

Default charset: This option affects how the proxy displays file names in the Download Manager window. URLs (and file names that they may reference) that are encoded in foreign charsets will be converted to UTF-8 from the charset specified here unless the server sends a different charset. If you are in a country or region that uses a double-byte charset, you should set this option to the "native" charset for that country or region.

Search domain: You can add an additional domain here, which will be searched when the first DNS lookup returns no result ("NXDOMAIN"). Then, a second DNS request is initiated which appends the domain given here to the original hostname. Example: A user enters http://wiki, meaning to address wiki.intranet.example.com. However, the URL can only be resolved when you enter intranet.example.com into the Search domain field.

Authentication timeout: This setting allows you to set the length of time (in seconds) that users can browse after logging in with browser mode authentication. If the users have a logout tab open, they can continue to browse without re-authenticating until that tab is closed, plus the authentication timeout.

This setting also allows you to set the length of time (in seconds) that a Block Override or a Warning Proceed lasts.

Authentication realm: The authentication realm is the name of the source which a browser displays along with the authentication request when the proxy works in Basic User Authentication mode. It defines the protection space according to RFC 2617. You can give any string here.

Transparent Mode Skiplist

Using this option is only meaningful if the Web Filter runs in transparent mode. Hosts and networks listed in the Skip transparent mode hosts/nets boxes will not be subject to the transparent interception of HTTP traffic. There is one box for source and one for destination hosts/networks. To allow HTTP traffic (without proxy) for these hosts and networks, select the Allow HTTP/S traffic for listed hosts/nets checkbox. If you do not select this checkbox, you must define specific firewall rules for the hosts and networks listed here.

Proxy Auto Configuration

The proxy auto configuration is a feature that enables you to centrally provide a proxy auto configuration file (PAC file) which can be fetched by browsers. The browsers will in turn configure their proxy settings according to the details outlined in the PAC file.

The PAC file is named wpad.dat, has the MIME type application/x-ns-proxy-autoconfig and will be provided by the UTM. It contains the information you enter into the text box, for example:

function FindProxyForURL(url, host)
{ return "PROXY proxy.example.com:8080; DIRECT"; }

The function above instructs the browser to redirect all page requests to the proxy of the server proxy.example.com on port 8080. If the proxy is not reachable, a direct connection to the Internet will be established.

The hostname can also be written as a variable called ${asg_hostname}. This is especially useful when you want to deploy the same PAC file to several Sophos UTM appliances using Sophos UTM Manager. The variable will then be instantiated with the hostname of the respective UTM. Using the variable in the example above would look like the following:

function FindProxyForURL(url, host)
{ return "PROXY ${asg_hostname}:8080; DIRECT"; }

To provide the PAC file for your network, you have the following possibilities:

• Providing via browser configuration: If you select the option Enable Proxy Auto Configuration, the PAC file will be available via Sophos UTM Web Filter under the URL of the following type: http://IP-of-UTM:8080/wpad.dat. To use this file, enter its URL in the automatic proxy configuration setting of those browsers which are to use the proxy.

• Providing via DHCP: You can have your DHCP server(s) hand out the URL of the PAC file together with the client IP address. To do that, select the option Enable HTTP Proxy Auto Configuration in your DHCP server configuration (see chapter Network Services > DHCP). A browser will then automatically fetch the PAC file and configure its settings accordingly.

  Note – Providing via DHCP works with Microsoft's Internet Explorer only. Regarding all other browsers you need to provide the PAC file manually.

URL Categorization Parent Proxy

Enter a proxy server for URL categorization lookups if you do not have direct internet access. This option is only available if you have endpoint protection enabled, or if you are doing local lookups. For local lookups, this option sets the proxy that will be used to download categorization updates to Sophos UTM.

Web Caching

Enable caching: When this option is enabled, the Web Filter keeps an on-disk object cache to speed up requests to frequently visited webpages.

• Cache SSL content: With this option enabled, SSL-encrypted data will be stored unencrypted on disk as well.

• Cache content that contains cookies: Cookies are often used for authentication purposes. With this option enabled, HTTP answers containing cookies will be cached as well. This may be critical, as users requesting the same page are likely to get the cached page, containing the cookie of another user.

  Important Note – Caching SSL and/or cookie content is an important security issue as the content is readable by every user with SuperAdmin rights.

• Force caching for Sophos Endpoint updates: If enabled, certain data related to Sophos Auto Update (SAU) requests from endpoints will be cached. We recommend to enable this feature when using endpoint protection. If disabled, this type of data will not be cached. This can lead to uplink saturation when many endpoints simultaneously try to download data from the update servers in the Internet.

Clear Cache: You can delete all cached pages by clicking Clear Cache.

Streaming Settings

Bypass content scanning for streaming content: When this option is active, typical audio and video streaming content (including range requests for that content) is not subject to content scanning. Disabling this option will effectively disable most media streams, since they cannot be scanned in a reasonable timeframe. It is therefore recommended to leave this option turned on.

Apple OpenDirectory Single Sign-On

When you are using Apple OpenDirectory SSO as authentication method, you need to upload a MAC OS X Single Sign-On Kerberos keyfile for authentication to work properly. Generate that keyfile and upload it by clicking the Folder icon. For more information on how to generate that keyfile, see the Kerberos documentation.

Certificate for End-User Pages

Sophos UTM uses HTTPS to provide user notification, perform browser authentication and secure other user interactions. By default, Sophos UTM uses an automatically generated certificate for these HTTPS connections. You can use this option to use a custom certificate for HTTPS pages that are presented to end users. To use your own custom certificate for these HTTPS connections, first upload it using Remote Access > Certificate Management > Certificates, then select it and update the settings here.

Note –The Hostname specified is the base domain for the certificate you are using. Sophos UTM will then prepend passthrough. or passthrough6. to that domain. The certificate must be valid for passthrough (and passthrough6) as a Common Name, Subject Alternate Name, or most commonly as a wildcard certificate, so you can prepend any host at the domain. In addition, you must set up DNS for passthrough and passthrough6 to external IP addresses. If you use Sophos UTM as your DNS server this is done automatically. By default, Sophos UTM uses the IP address 213.144.15.19. If you are using an alternate DNS server you must create those entries there.