UPDATE! This article refers to Sophos UTM 9.2. The UI for configuring Sophos UTM as a Transparent proxy has since changed slightly in UTM 9.3. For the latest information, please refer to our updated article Easily Evaluate Sophos UTM 9.3 Using Full Transparent Mode.
One of the biggest hurdles for evaluating and implementing a new firewall (such as a Forefront TMG replacement), is disruption to the existing network. You need to be able to put the firewall in line as the network’s default gateway, but you can’t make proxy or routing changes because business needs to carry on as usual. Historically, the only way to do this was to unplug the old one and plug in the new one.
Fortunately, Sophos UTM solves this problem with its ability to operate in ‘Full Transparent’ mode. This mode allows you to place the UTM in between your internal network and your existing firewall, and transparently pass all traffic through it without changing the source or destination IP addresses. Your existing firewall therefore sees the traffic exactly as it did before and no services are affected.
To understand why this is an awesome feature, let’s quickly recap all the possible operational modes:
- Standard Mode
In standard Proxy mode you have to explicitly instruct the browser to use the proxy IP and port number, and it only works for browsing. - Transparent Mode
In transparent mode the traffic ends up at the UTM by following the gateways all the way to it. The UTM then NATs source address of the traffic from there. This mode supports all types of traffic. - Full Transparent Mode
Full transparent mode on the other hand, does not affect the source and destination address in anyway. This mode also supports all types of traffic.
For more details on how the modes works and how they differ check out our other article Sophos UTM Operation Modes: Standard, Transparent vs Full Transparent.
Sophos UTM’s Full Transparent Mode Explained
To use Full Transparent mode, you need a Sophos UTM with a minimum of three network interfaces. One of these will be used for the internal network (UTM management etc), and the other two will be bridged.
Bridging the interfaces turns the UTM into a pass-through like it is a piece of wire. This allows you to simply plug the Sophos UTM in before your existing firewall and it will essentially be invisible to your other network devices as both the source and destination IP addresses are retained.
In the diagram above, the green arrows indicates the default flow of traffic through the network. The red arrow represents the two interfaces in bridge mode. All traffic will flow through the Sophos UTM, and the UTM will see the client IP and pass it through without changing it. The Internet router will see all traffic coming from the original client IP.
The purple arrow represents traffic from the Sophos UTM’s internal interface. Managing the UTM will occur through this interface and it will also be used when connecting to Active directory or other internal resources.
Using full transparent mode allows you to easily insert the UTM into your existing network. Simply take the existing cable going from the switch to the router and plug it into one of the UTM’s bridged interfaces. Then plug in a second cable into the UTM’s other bridge interface and plug the other end into your router. If the configuration is correct, all traffic will flow through without any problems. The steps below will guide you through the configuration.
Configuring the Sophos UTM Bridge Interface
As mentioned, ensure your UTM has three network interfaces. After the initial build follow the normal getting started wizard where you specify the internal and external interfaces each with their own IP addresses. You can complete the rest of the wizard to set up your base configuration.
The wizard only allows you to set up a single network adapter to an interface, but for the bridge we need to use two network adapters. This section explain how create the bridge and assign it as an interface.
- Select Interfaces & Routing | Interfaces
- Delete the External Interface
- Select Interfaces & Routing | Bridging
- Toggle the switch for Bridge Status
- Select Bridge Selected NICs (Mixed Mode)
- Select the two interfaces to be used
- Click Create Bridge
Now the bridge is created, we need to configure its IP address and default gateway. Even though the bridge operates at Layer 2 of the OSI model, it still requires an IP address as it is the ‘default gateway’ for the UTM. Other features of the UTM such as login pages for the Web App Firewall also require an IP address.
- Select Interfaces & Routing | Interfaces | New Interface
- Specify a Name and type
- From the hardware drop down select br0
- Specify a valid IP and Netmask for the network segment the UTM is on.
- Select the Default gateway check box and specify the IP of your existing firewall
- Click Save and then Enable the Interface
Configure the firewall rule(s)
The bridge now exists but by default it will not allow any traffic through. We can specify a very permissive rule because the existing firewall will still be filtering traffic and protecting your network.
- Select Network Protection | Firewall | New Rule
- Specify the Source as Any
- Specify the Service as Any
- Specify the Destination as Any
- Action Allow
- Expand Advanced and check the box for Log Traffic
- Click Save and Enable the rule
Sophos UTM is now configured as a Full Transparent firewall. You should now be able to access all of the services offered by the existing firewall. You can also confirm this by looking at the Sophos UTM’s firewall live log.
Testing Sophos UTMs Web Protection Feature
Now that Sophos UTM is transparently inline and not disrupting any existing services, you can start testing the features of the UTM. Let’s start by enabling Sophos UTM’s comprehensive Web filtering feature only for a few test machines.
- Select Web Protection | Web Filtering
- Toggle the Web Filtering Switch to enable it
- For Operation mode select Full Transparent
- Select Browser Authentication
- For allowed networks specify a client or network segment you want to use for testing.
- Click Apply
Test the client machine
The Sophos UTM is now configured to listen for web requests coming from your test machine. You do not need to specify a proxy because the traffic makes its way through the network to the bridged interface via the default gateway.
- Open a browser and connect to a web site
- You should now see the Browser authentication challenge from the UTM if authentication is configured. If not, you might way to read our Sophos UTM and Active Directory Step by Step Integration Guide.
- Authenticate, and you should be able to access the site successfully.
If you look at your existing firewall logs, you will see the traffic from the test machine. Once you have tested the feature thoroughly, you have the option of adding more client IPs or Networks to the ‘Allowed Networks’ list, and eventually disabling web filtering on your existing firewall.
Conclusion
Sophos UTM’s Full Transparent mode provides a great way to evaluate the UTM and systematically transition functionality with very little interruption to your existing network.
Full transparent mode does not necessarily need to be strictly temporary. Depending on the scenario, full transparent mode could remain the preferred method for some or all traffic.
I hope this helps with your Sophos UTM testing and deployment. Let me know how you go in the comments!
[…] Previous Next […]
[…] is an updated version of our previous article on the same topic, as the UI changed between Sophos UTM 9.2 and Sophos UTM […]
I followed these directions to the letter but whenever the Web Filtering is turned on I cannot go to any site. I once again have access once i turn off filtering. I know traffic is flowing to through the device as I see the logs. It shows:
2015:08:18-22:01:53 sophos httpproxy[5811]: id=”0002″ severity=”info” sys=”SecureWeb” sub=”http” name=”web request blocked” action=”block” method=”HEAD” srcip=”192.168.1.7″ dstip=”191.234.4.50″ user=”” ad_domain=”” statuscode=”504″ cached=”0″ profile=”REF_DefaultHTTPProfile (Default Web Filter Profile)” filteraction=”REF_DefaultHTTPCFFAction (Default content filter action)” size=”0″ request=”0x10fd3000″ url=”http://au.download.windowsupdate.com/c/msdownload/update/software/secu/2015/08/windows6.1-kb3087985-x64_1fdb41b257e8be5847a92b9b731a5fd89d05e6ed.psf” referer=”” error=”Connection to server timed out” authtime=”0″ dnstime=”24202″ cattime=”75265″ avscantime=”0″ fullreqtime=”60206480″ device=”0″ auth=”0″ ua=”Windows-Update-Agent” exceptions=”av,ssl,fileextension,size” category=”175″ reputation=”trusted” categoryname=”Software/Hardware”
Hi Bob
It looks like the traffic is not being authenticated and as such it would be dropped if the default filter action is to deny. The log shows user=”” ad_domain=”” which means that the session is not authenticated at all.
Is the default web filter action set to deny all?
Are you explicitly authentication a browser session before you test?
Does this happen if you change the default filter action to allow?
Check those setting and go from there.
[…] you'll need to setup the UTM in full transparent mode. Here is a link to help you with that setup. Fastvue Sophos Reporter Easily Evaluate Sophos UTM Using Full Transparent Mode But to be honest with you, I would remove the Peplink and let the UTM handle the routing. That […]
On a transparent mode, can it be configured to set up VPN dial in. What is hard limitation to the feature when configuring VPN ?
Hi Isaac
In transparent mode the the UTM basically acts as a simple NAT for outbound and inbound connections. The VPN would connect to the external IP address and from here (the VPN subnet) you could route to the internal network. Since traffic from the internal network perspective is sourced from the internal ip address routing back is not a problem. Generally speaking, this is how the VPN works even if you have your outbound traffic set to use standard proxy.
In full transparent mode as this article describes this would be a little different. I have not set this up or tried it yet so I am speaking under correction here. The UTM does not have an external IP address. The IP address would be the bridge interface’s IP, one would have to set up port forwading on the edge router to send traffic to the bridge IP, from there the VPN should function as normal since the traffic from the internal network should originate form the bridge interface’s IP. Internal routing should then be able to route traffic back to this address.
Let us know how it goes if you do set this up.
Regards
Etienne