HTTP Proxy

Configuration of the HTTP proxy

Last adaptation to the version: 12.7.2

New:

For Securepoint Anitvirus Pro Viruscan Pattern can be cached

Show previous changes

Last updated:

More detailed description of how the Mime-Type Blocklist works

notempty

This article refers to a Resellerpreview

12.6.2 12.5 12.4 12.2 11.8 11.7

Introduction

The proxy serves as an intermediary between the internet and the network to be protected.
The clients send their request to the proxy and the proxy passes it on to the corresponding servers.
The actual address of the client remains hidden from the server.
In this way, it is possible to check the data traffic for viruses and unwanted content.

General

Caption	Value	Description	HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log Area General
Proxy Port:	8080	Specifies on which port the proxy is to be addressed
Outgoing Address:		The Outgoing Address is used for two scenarios: If the proxy is to be bound to an interface If a web server in the VPN network is to be reached via the proxy. Scenario details 1 In this example, the proxy is bound to the faster DSL line: Initial situation: LAN1: ppp0 with DSL 2000 LAN2: Internal network (Internal interface with the IP 192.168.175.1) LAN3: ppp1 with DSL 16000 The IP of the Internal interface (here: LAN2) must be entered in the field for the outgoing address Save settings Under Network Network Settings Area Routing a new route is created: Source: IP of the internal interface Router: ppp1 Target: 0.0.0.0/0 Saving the route Now the proxy is bound to the 2nd internet connection. Scenario details 2 Connection to a web server in the VPN network: The IP of the internal interface must be entered in the field for the outgoing address. Save the settings. Connections initiated by the firewall do not require extra rules
Forward requests to system-wide parent proxy:	No	If another proxy is used before the HTTP proxy, this function must be activated. The configuration takes place under Network Appliance-Settings Area System-wide proxy
IPv4 DNS-lookups preferred:	Yes	Here you can specify whether the name resolution should preferably be done with IPv4 addresses
Logging (Syslog lokal):	Off	Writes a general Syslog for the HTTP proxy (Open: Log Area Log
Logging (Statistics): Only available if no anonymization for the HTTP proxy ‍ Settings at Authentication Privacy has been activated	On	Writes a statistical Log call: Log Area HTTP proxy statistics
Authentication method:	The proxy offers various possibilities for authentication. The possibilities are:
	None	The HTTP proxy processes all requests without authentication
	Basic	With basic authentication, the users are queried against the stored users under Authentication User Area User on the firewall
	NTLM / Kerberos	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication AD / LDAP Authentication
	Radius	Here the firewall must be made known to the server. This can be set up in the web interface under Authentication Radius-Authentication
Allow access only from local sources:	Yes default	Access to the HTTP proxy is now only possible from internal sources. These are: local networks routed networks ( Network Network configuration Area Routing) VPN networks
Allow access to local destinations:	Yes default	All internal networks can also be reached via the HTTP proxy (the packetfilter has already been passed through to reach the HTTP proxy). Disabling it prevents this and access to other internal networks must be explicitly allowed via the port filter without an HTTP proxy.
Forward Microsoft connection-oriented authentication:	No	If it is enabled, login or authentication to websites is possible. For some websites this is not possible otherwise. ‍ With this option, NTLM, Negotiate and Kerberos authentications are forwarded notempty If SSL-Interception is active, this parameter must be enabled for HTTPS-based authentications, otherwise no authentication/login is possible on these websites.

Authentication exceptions	On	URLs listed here are accessed without prior authentication. The default URLs are pages that are used for Securepoint Antivirus Pro. Further information can be found in the article HTTP proxy authentication exceptions	Section authentication exceptions
			Section authentication exceptions
Virusscan General
Virusscan:	On	The virus scanner is activated and the associated service is running. The HTTP proxy can check traffic for viruses (default setting)	HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log Area Virusscan
	On	The virus scanner service is deactivated. The HTTP proxy is not working correctly. The service can be started via the menu Applications Application status Virusscan
	On	The virus scanner service is deactivated. The HTTP proxy is not working correctly.notempty On devices with less than 3GB RAM, the service for the virus scanner cannot start. Please change to current hardware or allocate more RAM! Once this configuration is running in an environment with enough RAM, the service will be resumed.
	Off	The virus scanner is deactivated.
Maximum scan size limit:	2 Megabytes	Sets the size of the files to be scanned by the virus scanner
Trickle Time:	5 seconds	Interval at which data is transferred from the proxy to the browser so that the browser does not stop loading during the virus check
Allowlist ICY-Protokoll:	Off	A web radio protocol that can be excluded from testing
Allowlist:	On	This enables or disables the following Allowlist entries. The blocklist is always activated!
Cache Updates notempty New as of v12.7.2	Off	When activated On, the virus database updates are distributed to the connected clients with Securepoint Antivirus Pro after the initial download. In this way, traffic is reduced and the updates are rolled out smoothly.
Mime types blocklist Mime types blocklist
Mime Type	application/x-shockwave-flash Example	Mime types listed here are blocked in any case. The button opens a dialogue in which a mime type can be selected from a dop-down menu or an individual type can be entered. Diese Funktion ist nur aktiv, falls der Virenscanner aktiviert ist! Erklärung der Funktionsweise anzeigen Die MIME-Type Erkennung erfolgt bereits nach den ersten paar Bytes der Datei, im Normalfall ist diese auch korrekt und die Blockliste wird angewendet. Außerdem gibt es einen Rescan-Mechanismus, dieser ermittelt den MIME-Type für Microsoft-Compound Storage Formate erneut, wenn die vollständige Datei vorliegt oder der geladene Anteil der Datei das Größenlimit des Virenscanners erreicht hat. Somit ist die Erkennung nicht immer 100 prozentig perfekt, stellt aber einen optimalen Kompromiss aus Effizienz und Treffgenauigkeit dar.
Mime-Type Allowlist Mime-Type Allowlist
Mime Type	application/pkcs10 Example	Mime types listed here are not scanned. Standard defaults: audio/* image/* video/*
Websites Allowlist Websites Allowlist
Regex	^[^:]://[^\.]\.ikarus\.at/	Here it is possible to create your own filters based on Regular Expressions (Regex). notempty Viruses from these pages are not detected! Some update servers that cause problems when using a virus scanner are already preconfigured. Hint: [{#var:host}/UTM/FAQ#iTunes_zulassen Further exceptions] are necessary so that iTunes can communicate correctly with the internet.

Bandwidth
Bandwidth limiting policy:	None	Default	HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log Area Bandwidth
	Limit total bandwidth	In this case, the proxy only uses the specified maximum bandwidth and leaves the rest of the bandwidth untouched by your internet connection. (This bandwidth is shared by all hosts connected to the proxy.)
	Per host bandwidth	Bandwidth for each host. The limited bandwidth for hosts cannot exceed the global bandwidth.
Global bandwidth:	2.000.000 kbit/s	Default value, if activated
Per host bandwidth:	64.000 kbit/s	Default value, if activated

App Blocking
The general app blocking with fixed ports has been removed. Individual apps, or the ports they use, can be blocked flexibly via the packet filter.

SSL-Interception With the SSL interception feature, it is possible to recognise malicious code in SSL-encrypted data streams at the gateway. It interrupts the encrypted connections and makes the data packets visible to virus scanners and other filters. Data transmission to the client is then encrypted again. To do this, however, it is necessary to create a CA under Authentication Certificates and select this in the CA certificate field.
Caption	Value	Description	HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log SSL Interception tab
Enabled:	Off	The SSL-Interception is turned off
	Only webfilter based	When enabled, only connections blocked by the web filter are intercepted. This avoids the problem that there are sites that do not tolerate an interruption of the encryption (e.g. banking software) without having to define an exception for it.
	Always	Activates the SSL interception
Validate SNI:	Yes	When activated, any SNI in the ClientHello of the TLS handshake is checked. The host name contained is resolved and the addresses in the result are compared with the target address of the intercepted request. If they do not match, the connection is closed. Without SNIServer Name Indication validation, clients can manipulate SNI arbitrarily to bypass the web filter. This setting should only be considered as a last resort when it seems impossible to standardize the DNS settings between the HTTP proxy and the UTM clients. If the client and UTM use different DNS servers, this can lead to false positives.
Allow non identified protocols:	Yes	If this switch is deactivated, unrecognized protocols are blocked.
CA-Certificate:	CA-SSL-Interception	Here, a CA must be selected that can re-encrypt the connection after decryption (and scanning). The public key of the CA must be installed on all client computers that are to use SSL Interception. Download can be done here directly with Download public key.
CA-Certificate:	Download public key	The public key should be installed on the clients that are going to use SSL interception to avoid certificate errors.
Peer verification: not for Only webfilter based	On	This should definitely be enabled! With this, the HTTP proxy checks whether the certificate of the called page is trustworthy. Since the browser only sees the local certificate, a check by the browser is no longer possible.
Exceptions for SSL-Interception not for Only webfilter based	Off	It is possible to define exceptions in the format of Regular Expressions. However, since only https can arrive here, it is not filtered for protocols, unlike the virus scanner. With + Regex new exceptions are added. ‍ So an exception for www.securepoint.de would be: .*\.securepoint\.de" Regex exceptions do not apply to transparent mode!
Compare exceptions with the SNI: Only available if salidate SNI is active.	Off	Applies SNIServer Name Indication validation only to activated Exceptions of SSL-Interception .
Peer verification exceptions only if peer verification is active	Off	Here exceptions for certificate verification in regex format can be added.

Transparent Mode
Transparent Mode	On	Due to the transparent mode, the proxy is not visible to the clients, the client sees its internet connection (HTTP) as if no proxy was connected in front of it. Nevertheless, the entire HTTP stream goes through the proxy, which means that no settings have to be made on the client. However, there are the same possibilities to analyze / block / filter / manipulate the data stream as if a fixed proxy were used. Each network object or group of network objects that are to use the transparent proxy must be stored here.	HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log Area Transparent Mode

Add Transparent Rule
Protocol:	HTTP or HTTPS	Protocol that is used	Add Transparent Rule UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy Adding a Transparent Rule
Type:	INCLUDE	The transparent mode is applied
Type:	EXCLUDE	Transparent mode is not applied
Source:	internal-network	Source network object created under Firewall Packetfilter Area Network objects
Destination:	internet	Destination network object