Proxy
Setting up a direct connection to the proxy server.
Proxy Server for Web Traffic
You do not need to explicitly specify the proxy settings on the LAN hosts. Specifying UTM as the default gateway for devices on the network is sufficient.
By default, caching of traffic to disk is disabled, but it is carried out in the server RAM. You can enable caching of web traffic to disk in Services -> Proxy, but we do not recommend doing this because of excessive load on the disk subsystem. As a rule, caching to RAM is sufficient.
Direct connections to the proxy server can be configured by checking the corresponding box in the section Services -> Proxy and specifying the IP address and port on the UTM side. Then these details should be specified on those LAN network devices whose web traffic needs to be passed through a proxy.
To configure HTTPS traffic filtering, you need to add a root UTM certificate to users' computers. Read more in the article on Setting up HTTPS filtering.
Below is a screenshot of the General tab in the Proxy section.
Role of Proxy Server in the Operation of SafeUTM Gateway
The proxy server, in addition to proxying web traffic, plays the role of a master service for several services related to processing, monitoring, and accounting for user web traffic on the gateway, namely:
- Antivirus for web traffic (ClamAV).
- Web traffic reporting service for users.
- Content filter.
Direct Connections to Proxy Server
This mode is used when SafeUTM is not the default gateway for network clients.
Setting up the mode
- Specify the SafeUTM local IP address as a web proxy on the local network on client devices. It is possible to use a proxy server for all protocols.
- In the proxy settings on SafeUTM, the IP address and port for direct connections to the proxy must be specified (you can select ports from the list: 3128, 1080, 8000, 8080, 8888, 8081, 8088, and 10080).
In this mode, UTM will be able to provide hosts with web content and traffic on other ports (by default on all, if necessary, you can close the ports with a firewall), in case of necessity performing accounting (quotas), monitoring and checking web traffic for viruses, content and malicious content if the following conditions are met:
- SafeUTM server has Internet access (its external interface must be in a range that does not overlap with the local subnet and have access to the Internet).
- Authorization of the web traffic consumer host on the UTM server by one of the authorization types supported by UTM.
- Explicit indication of the web proxy address to the host (in the proxy server settings in browsers). For Single Sign-On authorization via Active Directory, you must specify the SafeUTM domain name in the settings, and not its IP address.
If it is not possible to specify a proxy server in the program settings for Windows or Mac OS X, then you can use third-party software to route all workstation traffic to the proxy server. For example, Proxifier provides such an opportunity. For more information on how to configure Proxifier for direct connections to the proxy server, see an article by following the link.
Exclusion of Resources from Proxy Server Processing
On the Exceptions tab, it is possible to exclude resources from processing by the proxy server and all related services (content filter, web reporting, antiviruses).
- Source Networks: The proxy server is excluded from processing requests from the specified internal networks or IP addresses.
- Destination networks: The proxy server is excluded from processing requests to external networks or IP addresses (usually addresses of websites or web services).
We strongly discourage you from excluding the ENTIRE LAN from proxy server processing.
When connecting directly to a proxy server, traffic cannot be excluded from proxy processing. You need to exclude traffic in the proxy server settings on the device (in the web browser or the proxy server system settings).