Proxy

Proxy

Setting up a direct connection to the proxy server.


Proxy Server for Web Traffic

You do not need to explicitly specify the proxy settings on the LAN hosts. Specifying UTM as the default gateway for devices on the network is sufficient.

By default, caching of traffic to disk is disabled, but it is carried out in the server RAM. You can enable caching of web traffic to disk in Services -> Proxy, but we do not recommend doing this because of excessive load on the disk subsystem. As a rule, caching to RAM is sufficient.

Direct connections to the proxy server can be configured by checking the corresponding box in the section Services -> Proxy and specifying the IP address and port on the UTM side. Then these details should be specified on those LAN network devices whose web traffic needs to be passed through a proxy.

To configure HTTPS traffic filtering, you need to add a root UTM certificate to users' computers. Read more in the article on Setting up HTTPS filtering.

Below is a screenshot of the General tab in the Proxy section.
1. Proxy Server.png


Role of Proxy Server in the Operation of SafeUTM Gateway

The proxy server, in addition to proxying web traffic, plays the role of a master service for several services related to processing, monitoring, and accounting for user web traffic on the gateway, namely:


Direct Connections to Proxy Server

This mode is used when SafeUTM is not the default gateway for network clients.

Setting up the mode

In this mode, UTM will be able to provide hosts with web content and traffic on other ports (by default on all, if necessary, you can close the ports with a firewall), in case of necessity performing accounting (quotas), monitoring and checking web traffic for viruses, content and malicious content if the following conditions are met:

If it is not possible to specify a proxy server in the program settings for Windows or Mac OS X, then you can use third-party software to route all workstation traffic to the proxy server. For example, Proxifier provides such an opportunity. For more information on how to configure Proxifier for direct connections to the proxy server, see an article by following the link.


Exclusion of Resources from Proxy Server Processing

On the Exceptions tab, it is possible to exclude resources from processing by the proxy server and all related services (content filter, web reporting, antiviruses).

We strongly discourage you from excluding the ENTIRE LAN from proxy server processing.

When connecting directly to a proxy server, traffic cannot be excluded from proxy processing. You need to exclude traffic in the proxy server settings on the device (in the web browser or the proxy server system settings).

Configuring Proxy with Single Interface

If necessary, you can use SafeUTM as a proxy server with direct connections of clients to the proxy, with a single interface.


To do this, you need to perform the following settings:

  1. When creating a local interface in Services -> Network interfaces, Gateway needs to be specified:

    1. Configuring Proxy with Single Interface.png

  2. Allow direct connections to the proxy server on the tab Services -> Proxy by selecting the desired port from the list:

    2. Configuring Proxy with Single Interface.png

When using SafeUTM as a proxy server with direct connections to the proxy, most of the functions will work normally, but with some peculiarities:

Exclude IP Addresses from Proxy Server Processing

Setting up exceptions for the traffic of individual users or traffic to certain Internet resources from passing and processing by a web proxy available as part of UTM.


Resource exclusions from proxy server processing only work for transparent proxy mode. With direct connections to the proxy server, it is impossible to exclude anything from proxy processing.

Two types of exceptions can be configured:

You can only specific IP addresses or IP networks.

Traffic excluded from proxy processing will not participate in Reports, and also cannot be tested for viruses and processed by the Content filter module. At the same time, such traffic will be checked by a firewall, intrusion prevention services, and application control.
1. Exclude IP Addresses from Proxy Server Processing.png


Programs Running on Protocols Other Than HTTP(S) via Web Proxy

Some programs that send traffic to their servers on ports 80 and 443, but at the same time work on protocols other than HTTP(S), cannot be processed by a web proxy server on UTM with HTTPS traffic filtering enabled. The traffic of such programs should be excluded from proxy processing in the Destination networks field.

Connecting to External ICAP Services

Sending HTTP(S) traffic for analysis to third-party servers using ICAP protocol.


In this case, traffic to these servers (which may include DLP systems, antiviruses, and web filters) is transmitted in decrypted form.

You can configure the connection to servers via ICAP in Services -> Proxy on the ICAP tab.
1. Connecting to External ICAP Services.png

It is possible to establish a connection to several ICAP services simultaneously.