by
Etienne Liebetrau
UPDATE! This article refers to Sophos UTM 9.2. The UI for configuring Sophos UTM as a Transparent proxy has since changed slightly in UTM 9.3. For the latest information, please refer to our updated article Easily Evaluate Sophos UTM 9.3 Using Full Transparent Mode.
One of the biggest hurdles for evaluating and implementing a new firewall (such as a Forefront TMG replacement), is disruption to the existing network. You need to be able to put the firewall in line as the network's default gateway, but you can't make proxy or routing changes because business needs to carry on as usual. Historically, the only way to do this was to unplug the old one and plug in the new one.
Fortunately, Sophos UTM solves this problem with its ability to operate in 'Full Transparent' mode. This mode allows you to place the UTM in between your internal network and your existing firewall, and transparently pass all traffic through it without changing the source or destination IP addresses. Your existing firewall therefore sees the traffic exactly as it did before and no services are affected.
To understand why this is an awesome feature, let's quickly recap all the possible operational modes:
For more details on how the modes works and how they differ check out our other article Sophos UTM Operation Modes: Standard, Transparent vs Full Transparent.
To use Full Transparent mode, you need a Sophos UTM with a minimum of three network interfaces. One of these will be used for the internal network (UTM management etc), and the other two will be bridged.
Bridging the interfaces turns the UTM into a pass-through like it is a piece of wire. This allows you to simply plug the Sophos UTM in before your existing firewall and it will essentially be invisible to your other network devices as both the source and destination IP addresses are retained.
In the diagram above, the green arrows indicates the default flow of traffic through the network. The red arrow represents the two interfaces in bridge mode. All traffic will flow through the Sophos UTM, and the UTM will see the client IP and pass it through without changing it. The Internet router will see all traffic coming from the original client IP.
The purple arrow represents traffic from the Sophos UTM’s internal interface. Managing the UTM will occur through this interface and it will also be used when connecting to Active directory or other internal resources.
Using full transparent mode allows you to easily insert the UTM into your existing network. Simply take the existing cable going from the switch to the router and plug it into one of the UTM's bridged interfaces. Then plug in a second cable into the UTM's other bridge interface and plug the other end into your router. If the configuration is correct, all traffic will flow through without any problems. The steps below will guide you through the configuration.
As mentioned, ensure your UTM has three network interfaces. After the initial build follow the normal getting started wizard where you specify the internal and external interfaces each with their own IP addresses. You can complete the rest of the wizard to set up your base configuration.
The wizard only allows you to set up a single network adapter to an interface, but for the bridge we need to use two network adapters. This section explain how create the bridge and assign it as an interface.
Now the bridge is created, we need to configure its IP address and default gateway. Even though the bridge operates at Layer 2 of the OSI model, it still requires an IP address as it is the 'default gateway' for the UTM. Other features of the UTM such as login pages for the Web App Firewall also require an IP address.
The bridge now exists but by default it will not allow any traffic through. We can specify a very permissive rule because the existing firewall will still be filtering traffic and protecting your network.
Sophos UTM is now configured as a Full Transparent firewall. You should now be able to access all of the services offered by the existing firewall. You can also confirm this by looking at the Sophos UTM’s firewall live log.
Now that Sophos UTM is transparently inline and not disrupting any existing services, you can start testing the features of the UTM. Let's start by enabling Sophos UTM's comprehensive Web filtering feature only for a few test machines.
The Sophos UTM is now configured to listen for web requests coming from your test machine. You do not need to specify a proxy because the traffic makes its way through the network to the bridged interface via the default gateway.
If you look at your existing firewall logs, you will see the traffic from the test machine. Once you have tested the feature thoroughly, you have the option of adding more client IPs or Networks to the 'Allowed Networks' list, and eventually disabling web filtering on your existing firewall.
Sophos UTM’s Full Transparent mode provides a great way to evaluate the UTM and systematically transition functionality with very little interruption to your existing network.
Full transparent mode does not necessarily need to be strictly temporary. Depending on the scenario, full transparent mode could remain the preferred method for some or all traffic.
I hope this helps with your Sophos UTM testing and deployment. Let me know how you go in the comments!
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
Easily Evaluate Sophos UTM 9.3 Using Full Transparent Mode
Active Directory SSO Authentication in Transparent Proxy Mode