Configuration of the HTTP proxy
Last adaptation to the version: 12.6.2
New:
- General [| app blocking] was removed
Introduction
The proxy serves as an intermediary between the internet and the network to be protected.
The clients send their request to the proxy and the proxy passes it on to the corresponding servers.
The actual address of the client remains hidden from the server.
In this way, it is possible to check the data traffic for viruses and unwanted content.
General
| Caption | Value | Description | UTMuser@firewall.name.fqdnApplications  Tab General
|
|---|---|---|---|
| Proxy Port: | 8080 |
Specifies on which port the proxy is to be addressed | |
| Outgoing Address: | The Outgoing Address is used for two scenarios:
In this example, the proxy is bound to the faster DSL line:
Connection to a web server in the VPN network:
| ||
| Forward requests to system-wide parent proxy: | No | If another proxy is used before the HTTP proxy, this function must be activated. The configuration takes place under | |
| IPv4 DNS-lookups preferred: | Yes | Here you can specify whether the name resolution should preferably be done with IPv4 addresses | |
| Logging (Syslog lokal): | Off | Writes a general Syslog for the HTTP proxy (Open: Area Log | |
| Logging (Statistics): | On | Writes a statistical Log call: Area HTTP proxy statistics | |
| Authentication method: | The proxy offers various possibilities for authentication. The possibilities are: | ||
| None | The HTTP proxy processes all requests without authentication | ||
| Basic | With basic authentication, the users are queried against the stored users under Area User on the firewall | ||
| NTLM / Kerberos | Here the firewall must be made known to the server. This can be set up in the web interface under | ||
| Radius | Here the firewall must be made known to the server. This can be set up in the web interface under | ||
| Allow access only from local sources: | Yes default |
Access to the HTTP proxy is now only possible from internal sources. These are:
| |
| Allow access to local destinations: | Yes default |
All internal networks can also be reached via the HTTP proxy (the packetfilter has already been passed through to reach the HTTP proxy). Disabling it prevents this and access to other internal networks must be explicitly allowed via the port filter without an HTTP proxy. | |
| Forward Microsoft connection-oriented authentication: | No | If it is enabled, login or authentication to websites is possible. For some websites this is not possible otherwise. Mit dieser Option werden NTLM, Negotiate und Kerberos Authentifizierungen weitergeleitet If SSL-Interception is active, this parameter must be enabled for HTTPS-based authentications, otherwise no authentication/login is possible on these websites.
| |
| Authentication exceptions | On | URLs listed here are accessed without prior authentication. The default URLs are pages that are used for Securepoint Antivirus Pro. Further information can be found in the article HTTP proxy authentication exceptions |
 |
Virusscan | |||
| Virusscan: | On | The virus scanner is activated and the associated service is running. The HTTP proxy can check traffic for viruses (default setting) |
UTMuser@firewall.name.fqdnApplications  Tab Virusscan
|
| On | The virus scanner service is deactivated. The HTTP proxy is not working correctly. The service can be started via the menu Virusscan | ||
| On | The virus scanner service is deactivated. The HTTP proxy is not working correctly.notempty On devices with less than 3GB RAM, the service for the virus scanner cannot start. Please change to current hardware or allocate more RAM! | ||
| Off | The virus scanner is deactivated. | ||
| Maximum scan size limit: | 2 Megabytes |
Sets the size of the files to be scanned by the virus scanner | |
| Trickle Time: | 5 seconds |
Interval at which data is transferred from the proxy to the browser so that the browser does not stop loading during the virus check | |
| Allowlist ICY-Protokoll: | Off | A web radio protocol that can be excluded from testing | |
| Allowlist: | On | This enables or disables the following Allowlist entries. The blocklist is always activated!
| |
| Mime types blocklist | |||
| application/x-shockwave-flash Example |
Mime types listed here are blocked in any case. The button opens a dialogue in which a mime type can be selected from a dop-down menu or an individual type can be entered. | ||
| Mime-Type-Allowlist | |||
| application/pkcs10 Example |
Mime types listed here are not scanned. Standard defaults:
| ||
| Websites Allowlist | |||
| ^[^:]*://[^\.]*\.ikarus\.at/ | Here it is possible to create your own filters based on Regular Expressions (Regex). notempty Viruses from these pages are not detected! Some update servers that cause problems when using a virus scanner are already preconfigured. Hint: [{#var:host}/UTM/FAQ#iTunes_zulassen Further exceptions] are necessary so that iTunes can communicate correctly with the internet. | ||
Bandwidth | |||
| Bandwidth limiting policy: | None | Default | UTMuser@firewall.name.fqdnApplications  Tab Bandwidth
|
| Limit total bandwidth | In this case, the proxy only uses the specified maximum bandwidth and leaves the rest of the bandwidth untouched by your internet connection. (This bandwidth is shared by all hosts connected to the proxy.) | ||
| Per host bandwidth | Bandwidth for each host. The limited bandwidth for hosts cannot exceed the global bandwidth. | ||
| Global bandwidth: | 2.000.000 kbit/s |
Default value, if activated | |
| Per host bandwidth: | 64.000 kbit/s |
Default value, if activated | |
App Blocking | |||
| The general app blocking with fixed ports has been removed. Individual apps, or the ports they use, can be blocked flexibly via the packet filter. | |||
SSL-InterceptionWith the SSL interception feature, it is possible to recognise malicious code in SSL-encrypted data streams at the gateway. It interrupts the encrypted connections and makes the data packets visible to virus scanners and other filters. Data transmission to the client is then encrypted again. To do this, however, it is necessary to create a CA under and select this in the CA certificate field. | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnApplications  SSL Interception tab
|
| Enabled: | The SSL-Interception is turned off | ||
| When enabled, only connections blocked by the web filter are intercepted. This avoids the problem that there are sites that do not tolerate an interruption of the encryption (e.g. banking software) without having to define an exception for it. | |||
| Activates the SSL interception | |||
| Validate SNI: | Yes | When activated, any SNI in the ClientHello of the TLS handshake is checked. The host name contained is resolved and the addresses in the result are compared with the target address of the intercepted request. If they do not match, the connection is closed. Without Server Name Indication validation, clients can manipulate SNI arbitrarily to bypass the web filter. This setting should only be considered as a last resort when it seems impossible to standardize the DNS settings between the HTTP proxy and the UTM clients. If the client and UTM use different DNS servers, this can lead to false positives.
| |
| Allow non identified protocols: | Yes | If this switch is deactivated, unrecognized protocols are blocked. | |
| CA-Certificate: | CA-SSL-Interception | Here, a CA must be selected that can re-encrypt the connection after decryption (and scanning). The public key of the CA must be installed on all client computers that are to use SSL Interception. Download can be done here directly with . | |
| The public key should be installed on the clients that are going to use SSL interception to avoid certificate errors. | |||
| Peer verification: not for Only webfilter based |
On | This should definitely be enabled! With this, the HTTP proxy checks whether the certificate of the called page is trustworthy. Since the browser only sees the local certificate, a check by the browser is no longer possible. | |
| Exceptions for SSL-Interception not for Only webfilter based |
Off | It is possible to define exceptions in the format of Regular Expressions. However, since only https can arrive here, it is not filtered for protocols, unlike the virus scanner. With new exceptions are added. So an exception for www.securepoint.de would be:
.*\.securepoint\.de" | |
| Compare exceptions with the SNI: Only available if salidate SNI is active. |
Off | Applies Server Name Indication validation only to activated Exceptions of SSL-Interception . | |
| Peer verification exceptions only if peer verification is active |
Off | Here exceptions for certificate verification in regex format can be added. | |
Transparent Mode | |||
| Transparent Mode | On | Due to the transparent mode, the proxy is not visible to the clients, the client sees its internet connection (HTTP) as if no proxy was connected in front of it. Nevertheless, the entire HTTP stream goes through the proxy, which means that no settings have to be made on the client. However, there are the same possibilities to analyze / block / filter / manipulate the data stream as if a fixed proxy were used. Each network object or group of network objects that are to use the transparent proxy must be stored here. |
UTMuser@firewall.name.fqdnApplications  Tab Transparent Mode
|
| Protocol: | HTTP or HTTPS |
Protocol that is used | UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy  Adding a Transparent Rule
|
| Type: | INCLUDE | The transparent mode is applied | |
| EXCLUDE | Transparent mode is not applied | ||
| Source: | internal-network | Source network object created under Area Network objects | |
| Destination: | internet | Destination network object | |
Captive Portal
The Captive Portal is configured since v12.1 in its own menu under . There is a separate Wiki-article for this.