Understanding Sophos Web Filtering

  • Article ID: 115865
  • Rating:
  • 36 customers rated this article 3.5 out of 6
  • Updated: 19 May 2015

This article explains various features & operation modes of Sophos Web Filtering. 

If you're looking for instructions or examples of how to configure UTM Web Protection, please see the Administrator Guide, section 9 (page 285).

Known to apply to the following Sophos product(s) and version(s)

Sophos UTM Software Appliance
Sophos UTM

Operating systems
v7, v8, v9

Transparent Operation

Transparent modes do not require proxy settings within client browsers be enabled. These modes are the simplest to implement, since no client browser configuration is necessary.


  • No client side configuration necessary for HTTP filtering. 
  • Filtering is naturally enforced from the UTM. 
  • It can be enabled and fully implemented on any network in moments.


  • Single Sign-On(SSO) user authentication is not possible prior to version 9.2. In the older versions, users could only be authenticated by requesting credentials. 
  • Only port 80 web traffic can be silently intercepted and filtered. Port 443 HTTPS traffic can also be transparently proxied, but prior to 9.2, a new signing certificate must be installed on user systems to allow this this to be filtered silently. In 9.2, SNI-based HTTPS filtering is possible, which allows you to filter HTTPS content without installing a certificate, but does not allow in-stream antivirus scanning of web traffic.
  • Because transparent modes do not allow the browser to know it is being proxied, it may not behave optimally in every instance. For example, a website which is slow to respond may timeout in the user's browser in transparent mode, but the page may load successfully in a standard proxied mode.

Transparent Modes

There are two different transparent operation modes available, Transparent and Transparent with Authentication.


Transparent mode applies the same filtering options to all computers within the networks that it is configured to protect. It does not authenticate users, and cannot differentiate by anything other than IP address.

Transparent with Authentication

Transparent with Authentication mode will initially direct users to a webpage requesting credentials, and optionally requiring them to agree to the displayed terms of use. This allows different filter actions to be created for different users or groups.

Standard operation

Standard modes require that the browser be configured to use or to look for a proxy server. They require some initial setup, but when done correctly, can offer the maximum amount of flexibility.


  • Supports SSO modes of authentication in all recent UTM versions. 
  • Web servers running on non-standard ports will be filtered, HTTPS requests will be seen and can be content filtered without additional effort. 
  • The client browser is aware that it is being proxied.


  • Requires client browsers to be configured to use the proxy.
  • If the proxy is not set by a Proxy Auto-Configuration Script, bypassing the proxy for special URLs must be done within the client browser.

Standard Modes

These standard operation modes are available: 

  • Agent
  • Browser
  • Basic User Authentication 
  • Actve Directory SSO 
  • eDirectory SSO 
  • Apple OpenDirectory SSO


This mode does not support any form of authentication. Clients may only be filtered by source IP address.


This mode activates the Sophos Authentication Agent (SAA). The agent has to be installed and can be downloaded via the WebAdmin page Definitions & Users > Client Authentication or the User Portal. Users have to start the agent and authenticate in order to be able to use the web filter.


This mode allows username-based tracking, reporting and surfing without client-side browser configuration. You can enable a disclaimer that is additionally displayed on the dialog window for login and needs to be accepted by users to be able to go on.

Basic User Authentication

Basic User Authentication mode will request authentication when new connections are made to the proxy. Client browsers will request this authentication in the form of a popup authentication dialog box. Once authenticated, clients will be able to surf without being authenticated until their session ends.

Active Directory SSO

Active Directory SSO (single sign-on) mode requires that UTM be joined to the Active Directory domain. Using Kerberos or NTLM, every web session is authenticated silently. The browser is prompted to provide a valid authentication token, which is validated against the AD server. If this process fails, or the account information is invalid, the Authentication fails and it depends of the Browser if a prompt will appear to request credentials from the user. Provided credentials are validated by the directory server.

eDirectory SSO

eDirectory SSO mode requires that UTM be configured with credentials to communicate with at least one eDirectory server within the eDirectory tree. UTM will then communicate with the directory server to track the IP address of all logged in users. When a web request is made by a client, the source is checked against all current logged in users. If no user is known to be logged in at the requesting client, then UTM will fallback to Basic User Authentication mode, and prompt the browser to request credentials from the user. Provided credentials are validated by the directory server.

Apple OpenDirectory SSO

Apple OpenDirectory SSO mode requires to upload a MAC OSX single sign-on Kerberos keyfile. In this mode clients must have specified the web filter as HTTP proxy in their browser configuration.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent