Global
On the Web Protection > Web Filtering > Global tab you can make the global settings for the Web Filter.
To configure the Web Filter, proceed as follows:
-
On the Global tab, enable the Web Filter.
Click the toggle switch.
The toggle switch turns green and the Default Web Filter Profile area becomes editable.
-
Select the allowed networks.
Select the networks that should be allowed to use the Web Filter. By default, the Web Filter listens for client requests on TCP Transmission Control Protocol port 8080 and allows any client from the networks listed in the Allowed Networks box to connect.
Caution – It is extremely important not to select an Any network object, because this introduces a serious security risk and opens your appliance up to abuse from the Internet.
-
Note that when you select an operation mode that requires user authentication, you need to select the users and groups that shall be allowed to use the Web Filter. The following modes of operation are available:
-
Standard mode: In standard mode, the Web Filter will listen for client requests on port 8080 by default and will allow any client from the networks listed in Allowed Networks box to connect. When used in this mode, clients must have specified the Web Filter as HTTP proxy in their browser configuration.
Select the default authentication mode.
- None: Select to not use any authentication.
- Active Directory SSO: This mode will attempt to authenticate the user who is currently logged in to the computer as the user of the proxy (single sign on). If the currently logged in user is a valid AD user with permission to use the proxy, the authentication should occur with no user interaction. You must have configured Active Directory Single Sign-On (SSO) on the Definitions & Users > Authentication Services > Servers tab. Clients can authenticate with NTLM or Kerberos.
- Agent: Select to use the Sophos Authentication Agent (SAA). Users need to start the agent and authenticate in order to be able to use the Web Filter. The agent can be downloaded from the User Portal. See: User Portal.
- Apple OpenDirectory SSO: Select when you have configured LDAP on the Definitions & Users > Authentication Services > Servers tab and you are using Apple OpenDirectory. Additionally, you have to upload a MAC OS X Single Sign-On Kerberos keyfile on the Web Protection > Filtering Options > Misc tab for the proxy to work properly. When used in this mode, clients must have specified the Web Filter as HTTP proxy in their browser configuration. Note that the Safari browser does not support SSO.
- Basic user authentication: In this mode, each client must authenticate itself against the proxy before using it. For more information on which authentication methods are supported, see Definitions & Users > Authentication Services. When used in this mode, clients must have specified the Web Filter as HTTP proxy in their browser configuration.
-
Browser: When selected the users will be presented a login dialog window in their browser to authenticate themselves with the Web Filter. This mode allows for username-based tracking, reporting, and surfing without client-side browser configuration. Moreover, you can enable a disclaimer that is additionally displayed on that dialog window and needs to be accepted by users to be able to go on. For more information on the disclaimer, see Management > Customization > Web Messages.
Note – When using browser authentication, a pop-up will be generated from passthrough.fw-notify.net. Users should ensure passthrough.fw-notify.net is exempt from their browser's pop-up blocker.
- eDirectory SSO: Select when you have configured eDirectory on the Definitions & Users > Authentication Services > Servers tab.
Note – For eDirectory Single-Sign-On (SSO) modes, the Web Filter caches accessing IP addresses and credentials for up to fifteen minutes, for Apple OpenDirectory and Active Directory SSO it caches only the group information. This is done to reduce the load on the authentication servers. However it also means that changes to users, groups, or the login status of accessing users may take up to fifteen minutes to be reflected by the Web Filter.
If you chose an authentication mode that requires user authentication, select Block access on authentication failure to deny access to users that fail authentication.
-
Transparent mode: In transparent mode, all connections made by client browser applications on port 80 (and port 443 if SSL Secure Sockets Layer is used) are intercepted and redirected to the Web Filter without client-side configuration. The client is entirely unaware of the Web Filter server. The advantage of this mode is that for many installations no additional administration or client-side configuration is necessary. The disadvantage however is that only HTTP requests can be processed. Thus, when you select the transparent mode, the client's proxy settings will become ineffective.
Note – In transparent mode, the Web Filter will strip NTLM authentication headers from HTTP requests. Furthermore, the Web Filter cannot handle FTP File Transfer Protocol requests in this mode. If your clients want to access such services, you must open port (21) in the firewall. Note further that some webservers transmit some data, in particular streaming video and audio, over a port different from port 80. These requests will not be noticed when the Web Filter operates in transparent mode. To support such traffic, you must either use a different mode or enter an explicit firewall rule allowing them.
- None: Select to not use any authentication.
-
Active Directory SSO: This mode will attempt to authenticate the user who is currently logged in to the computer as the user of the proxy (single sign on). If the currently logged in user is a valid AD user with permission to use the proxy, the authentication should occur with no user interaction. You must have configured Active Directory Single Sign-On (SSO) on the Definitions & Users > Authentication Services > Servers tab. Clients can authenticate with NTLM (or Kerberos if Mac). For some environments additional configuration is required on the endpoint. If you are having problems with SSO in transparent mode, please see the Sophos Knowledge Base.
Note – When defining the Active Directory user group, we highly recommend to add the desired entries to the Active Directory groups box by manually entering the plain Active Directory group or user names instead of the LDAP strings. Example: Instead of an LDAP string CN=ads_group1,CN=Users,DC=example,DC=com, just enter the name ads_group1.
Note – When using Kerberos, only add groups to the Active Directory groups box, as entries for users are not be accepted by the Web Filter.
- Agent: Select to use the Sophos Authentication Agent (SAA). Users need to start the agent and authenticate in order to be able to use the Web Filter.
-
Browser: When selected the users will be presented a login dialog window in their browser to authenticate themselves with the Web Filter. This mode allows for username-based tracking, reporting, and surfing without client-side browser configuration. Moreover, you can enable a disclaimer that is additionally displayed on that dialog window and needs to be accepted by users to be able to go on. For more information on the disclaimer, see Management > Customization > Web Messages.
Note – When using browser authentication, a pop-up will be generated from passthrough.fw-notify.net. Users should ensure passthrough.fw-notify.net is exempt from their browser's pop-up blocker.
-
Full transparent (optional): Select to preserve the client source IP Internet Protocol instead of replacing it by the gateway's IP. This is useful if your clients use public IP addresses that should not be disguised by the Web Filter. The option is only available when running in bridged mode.
The available authentication modes for Full transparent are the same as Transparent. See above.
Cross Reference – For more information on configuring browser authentication in standard mode, see the Sophos Knowledge Base.
When configured to use authentication, you have the option to Block access on authentication failure. If you are using AD SSO and do not block access on failure, an SSO authentication failure will allow unauthenticated access without prompting the user. If you are using Browser authentication and do not block access on authentication failure, there will be an additional Guest login link on the login page to allow unauthenticated access.
-
-
Enable device-specific authentication.
To configure authentication modes for specific devices, select the Enable device-specific authentication checkbox. Once enabled you can click the green Plus icon to add device types and associated authentication modes.
-
Click Apply.
Your settings will be saved.
Important Note – When SSL scanning is enabled in combination with the transparent mode, certain SSL connections are destined to fail, e.g. SSL VPN tunnels. To enable SSL VPN connections, add the respective target host to the Transparent Mode Skiplist (see Web Protection > Filtering Options > Misc). Furthermore, to access hosts with a self-signed certificate you need to create an exception for those hosts, selecting the option Certificate Trust Check. The proxy will then not check their certificates.
Live Log
The Web Filtering live log gives you information on web requests. Click the Open Live Log button to open the Web Filtering live log in a new window.