Sophos Web Appliance in transparent mode with the Astaro Security Gateway (ASG) V8

  • Article ID: 114061
  • Rating:
  • 1 customers rated this article 6.0 out of 6
  • Updated: 06 Nov 2012

Deployment Scenario

This article outlines a deployment involving the following:

  • Astaro Security Gateway with 2 policy routes outlined below, along with DHCP services being provided to the internal endpoint systems.

  • Sophos Web Appliance in Transparent Mode.

  • Endpoints on the same internal subnet as the Sophos Web Appliance with no proxy settings.

This article applies to the above scenario only. 

Astaro Security Gateway (ASG) Quick Start Guides

http://www.sophos.com/en-us/support/resource-centers/unified/getting-started.aspx

The Getting Started guides provided on this page take the administrator through the preliminary setup of plugging in the device, and logging in to the Web Administrator Interface for the first time.

 

Astaro Security Gateway (ASG) Full Administrator Guide

http://www.sophos.com/en-us/support/documentation/sophos-utm.aspx#

The above link leads you to a page where you can download extremely detailed administration guides for the ASG.

 

Astaro Security Gateway (ASG) Setup

  • Follow Astaro Guide on how to get the system configured, and login to the Web Interface (https://x.x.x.x.:4444).
  • Enter the following section of the Administrator interface:
    Interfaces & Routing -> Static Routing -> Policy Routes
  • 2 Rules will need to be setup in order to have the ASG transparently route Web Traffic.

 

Rule 1 - Exempt Sophos Web Appliance from HTTP services re-direct

a. New Policy Route
b. Position : 1
c. Route Type : Gateway Route
d. Source Interface : << Any >>
e. Source Network : Click the green +.  Create an entry for the Sophos Web Appliance.
f. Service : Click +.  Type of Definition -> Group.  Members -> Click Folder and add associated HTTP(s) services.  Alternatively use the pre-grouped definitions.
g. Destination Network : Any
h. Gateway : Click the green.  Create an entry for the Gateway IP address on the network.  This is typically the default gateway for the ASG WAN address.
i. Click Save. 

 

 

Rule 2 - HTTP Services re-direct for Internal Network.

a. New Policy Route
b. Position : 2
c. Route Type : Gateway Route
d. Source Interface : << Any >>
e. Source Network : Internal (Network).  This is defined during the setup.  Alternatively, click on the Internal (Network) to make sure it is set appropriately.
f. Service : Click +. Type of Definition -> Group. Members -> Click Folder and add associated HTTP(s) services. Alternatively use the pre-grouped definitions.
g. Destination Network : Any
h. Gateway : Click on the folder.  Use Sophos Web Appliance definition previously created.
i. Click Save.

 

 

The summary view should look like the following screenshot:

 

 Make sure that both dots are GREEN under the "Status" Column in the view above.

Web Appliance Setup

Configuration -> Network -> Network Interface

Default Gateway : Astaro Internal Network IP Address
Primary DNS IP : Astaro Internal Network IP Address or Internal DNS Server.

Deployment Mode : Transparent

Is it working checklist?

  • Can the endpoint surf the web?

  • In the Web Appliance logs, is the endpoint IP address recorded?  If the ASG IP address is shown, there is an issue.

  • Is there any latency?  Latency should be negligible, so if there is slowness in HTTP responses, there may be an issue.  Issues were found with static endpoints.  Once the ASG DHCP server was used to sign addresses to the endpoint, the response time was much faster.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments