The Sophos Web Appliance provides security and control for your users’ web browsing by preventing the loading of viruses, Trojans, worms, other malware, and potentially unwanted applications (PUAs).

The web appliance does this by using site lists. Sophos provides a basic and an enhanced list of URLs—the Sophos Basic Categorization Data and the Sophos Enhanced Categorization Data—each of which assigns a risk classification (high, medium, low, or trusted) and a site category (business, education, sports, gambling, illegal drugs, weapons, etc) to the listed URLs.

You can extend these Sophos lists, or override the risk classification or the site category of the URLs by adding custom entries. In addition to URLs, you can set whether requests for various downloadable file types are allowed, warned, or blocked. "Block" or "warn" pages are displayed in response to inappropriate user requests, and you can give users the ability to ask for a reclassification or re-categorization of the site. The message that users see on these pages can also be modified.

Default actions are as follows:

  • Content from sites classified as being high-risk is always blocked
  • Content from low-risk sites is always scanned
  • Content from trusted sites is always allowed

Additionally, you can set whether content from medium-risk sites is blocked or scanned and whether content from unclassified sites is handled in the same way as content from low, medium, or high-risk sites.


This security protection can be extended to HTTPS (encrypted) sites, which can also contain security threats. You configure your web appliance to handle certificate validation, thus deciding for your users about which HTTPS sites to trust.

HTTPS Scanning

To provide secure sessions between your users and commercial or banking sites, HTTPS can encrypt web content between the website server and the user’s browser. To scan encrypted content for malware, it must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end user’s browser. Doing this maintains the privacy of the encrypted content, as the process takes place automatically without human eyes viewing the content.

Active Directory

The web appliance allows you to view lists of user groups imported from your organization’s Active Directory server and define custom groups. On this page, you either apply the default policy to a select list of groups, or you apply the default policy to all groups except those in the select list.

Acceptable Use Policies

The web appliance protects your organization and your users from visiting sites that violate your organization’s browsing policy, including sites that violate inappropriate browsing legislation. Site categories can also be used to provide productivity control by disallowing access to entertainment sites and other diversions.

Custom Policies

You can define a Special Hours policy, consisting of modified access settings that will apply to the same set of users as the default policy, but that provides, for example, a more relaxed web browsing policy during the lunch hour and after business hours.

You can also create as many as 80 Additional Policies, overriding the default policy and the Special Hours policy. These can be applied to select users or groups and can also be set to take effect only during a scheduled period. Additional policies can be turned on and off as required, and they can be set to automatically deactivate at a specified date and time.

Applying tags lets you set policy rules more simply and flexibly than is possible by using other policy features. You can use the Local Site List to apply one or more tags to a URL. With Additional Policies, you can set what action is taken in response to a tag.

Dynamic Categorization

Sophos provides the ability to block attempts by your users to evade policy controls through anonymizing proxies and caching websites by automatically detecting such sites with the Dynamic Categorization feature.

Data Leakage Prevention

You can secure your users against leaking vital data through web use by using the Data Leakage Prevention features to selectively block them from sending webmail messages and posting on blogs.