Configuring General HTTP Proxy Settings

The HTTP proxy service can be enabled/disabled and its general settings can be configured under the 'Configuration' interface.

To configure general settings for HTTP proxy

• Click 'Proxy' > 'HTTP' from the left hand side navigation

• Open the 'HTTP Proxy: Configuration' interface by clicking the 'Configuration' tab.

• Enable HTTP Proxy - Use the toggle switch to enable or disable the HTTP proxy service

The next three drop-downs enable the administrators to configure how the users in the Local Area Network zone (LAN), DMZ zone and WiFi zone can use the proxy service. For each zone, the administrator can configure whether the proxy service needs to be 'Transparent' or 'Non Transparent' from the respective drop-down.

• Non Transparent - The proxy server will be available to any user in the network. But the user needs to manually configure their browser to search for a proxy (using either Proxy Automatic Configuration ( PAC) or the Web Proxy Autodiscovery Protocol (WPAD) protocol to set up the browser’s proxy settings).

• Transparent - The proxy server will be available to any user in the network, without the need to manually configure their browsers. The proxy server automatically handles all the HTTP requests from the internal hosts as per the proxy settings like antivirus scanning, URL/content based filtering and more.

Tip: You can specify individual hosts in the network zone assigned with transparent proxy service for being excluded from the proxy service in the 'Bypass Transparent proxy' pane. Refer to the explanation of the 'Bypass Transparent proxy' pane below for more details.

Other general parameters can be configured from the expandable panes, the open on clicking the respective stripes in the

'HTTP: Configuration' interface. The following sections explain configuring the general parameters through each pane:

The 'Proxy Settings' pane can be opened by clicking the 'Proxy Settings' stripe. The pane allows the administrator to specify global configuration parameters like port used by proxy, upload/download file size limits and so on, for the HTTP proxy service.

• Enter the parameters as shown below:

• Port used by proxy - Specify the TCP port for the proxy server to listen to HTTP connections (Default = 8080).

• Error Language - Choose the language in which the error messages from the proxy server are to be displayed to the users. (Default = Language chosen in the System > GUI Settings interface).

• Visible Hostname used by proxy - Specify a hostname for the proxy server. The hostname will be displayed at the bottom of the error messages.

• Email used for notification - Enter the sender email address to be used by the proxy server for the notification mail from it.

• Maximum download size - Specify the maximum file size allowed for HTTP download (in KB) (0=Unlimited)

• Maximum upload size - Specify the maximum file size allowed for HTTP uploading to websites (in KB) (0=Unlimited)

Allowed ports and SSL ports

The 'Allowed ports and SSL ports' pane can be opened by clicking the 'Allowed ports and SSL ports' stripe. The pane allows the administrator to specify TCP ports for receiving connection requests from the hosts in the network, for different services.

• Allowed Ports - The text box displays a list of default TCP ports to receive the connection requests from the hosts when using HTTP protocol. The administrator can edit the port numbers and add new ports for additional services.

Comments can also be added to the text box, starting with '#'.

• Allowed SSL Ports - The text box displays a list of default TCP ports to receive the connection requests from the hosts when using HTTPS protocol. The administrator can edit the port numbers and add new ports for additional services. Comments can also be added to the text box, starting with '#'.

Log Settings

The 'Log Settings' pane can be opened by clicking the 'Log Settings' stripe. The pane allows the administrator to configure logging for different proxy events. The logs can be viewed from the Logs > Proxy interface. Refer to the section Proxy Traffic Logs for more details.

• Choose the log settings as given below:

HTTP proxy logging

• Enable logging - Select this check box if you wish to log all the URLs accessed through the proxy server.

The following options are enabled only if this option is enabled.

Query term logging

• Log query terms - Select this check box if you wish to include the query parameters (the parameters after the ? In the URL, e.g. ?id=123) in the logs.

Content filter logging

• Log content filtering - Select this checkbox if you wish to include the pages subjected to content filtering in the logs.

User agent logging

• Log user agents - Select this checkbox if you wish to include the user agents used by the browsers to identify themselves to web servers, in the logs.

Firewall logging (transparent proxies only)

• Log outgoing connections - Select this checkbox if you wish to allow the firewall to log the outgoing web

access routed through the uplink interface devices. The option works only network zones configured with transparent proxy services. Refer to the explanation above for more details.

Bypass Transparent Proxy

The administrator can add IP addresses and networks to be excluded from the transparent proxy service in the 'Bypass Transparent Proxy' pane. If a network zone is configured with a transparent HTTP proxy in the setting above, some of the hosts in the network can be excluded from the proxy. Also the administrator can specify the external webservers, to be excluded from the proxy. Both the internal host that raised the request and the external web server requested are ignored by the proxy. No HTTP request from the the excluded host will be handled and no resource from the external web server will be cached. The 'Bypass Transparent Proxy' pane can be opened by clicking the 'Bypass Transparent Proxy' stripe.

• Bypass transparent proxy from SUBNET/IP/MAC - Specify the sub network or hosts in the internal network zones, for which, the traffic originating from them should bypass the proxy service. The sub networks can be specified in CIDR notation. The hosts can be specified by their IP addresses, MAC addresses or their firewall addresses/group names as specified in Firewall Objects interface.

• Bypass transparent proxy to SUBNET/IP - Specify the sub network or external hosts/network for which, the traffic directed to them should bypass the proxy service. The sun network can be specified in CIDR notation.

The hosts/networks can be specified by their IP addresses or their firewall addresses/group names as specified in Firewall Objects interface.

Tip: You can specify external networks and domains to be excluded from the web proxy service, from the Cache Management pane.

Cache Management

The 'Cache Management' pane can be opened by clicking the 'Cache Management' stripe. The pane allows the administrator to configure the disk space and system memory that can be used for caching the resources from the websites accessed and specify the external networks and web servers to be globally excluded from the proxy service.

• Specify the Cache Management parameters as given below:

• Cache size within memory - Specify the space in system memory that can be allocated for caching web resources (in MB).

• Maximum object size - Specify the upper limit of single object that can be cached (in KB). Resource files of size more than that specified here will not be cached.

• Minimum object size - Specify the lower limit of single object that can be cached (in KB). Resource files of size lesser than that specified here will not be cached.

• Cache offline mode - Enable this option if you wish to enable access to cached websites, even if the uplink is broken. If a host requests a web access to any of the cached resource, the static web resource will be returned to the host without being updated.

• Clear Cache - Use this button to delete all the cached data at once.

• Do not cache these destinations - Specify the domain names or addresses of external networks from which the resources need not be cached.

Upstream Proxy

The 'Upstream Proxy' pane can be opened by clicking the 'Upstream Proxy' stripe. The pane allows the administrator to specify additional proxy servers, if any, available in the LAN. If specified, the appliance will first contact the additional proxy server, before accessing the requested web server, to check for cached resources.

• Specify the upstream proxy server parameters as shown below:

Upstream Proxy

• Use upstream proxy - Select this checkbox if any web proxy server is available in the local area network.

The following options are enabled only if this option is selected.

Upstream Server

• Enter the hostname or IP address of the proxy server in the LAN Upstream Port

• Enter the port on which the proxy server is listening for external connection requests.

Upstream username/Upstream password

• Enter the login username and password for the UTM appliance to access the proxy server, if the proxy server requires authentication

Client username forwarding

• Forward username to upstream proxy - Select this checkbox if you wish the username of the host/client that has raised the HTTP request, to be forwarded to the additional proxy server.

Client IP forwarding

• Forward IP address to upstream proxy - Select this checkbox if you wish the IP address of the host/client that has raised the HTTP request, to be forwarded to the additional proxy server.

• Click 'Save' at the bottom of the interface. A confirmation dialog will be displayed.

• Click Apply. The HTTP proxy service will be restarted for your changes to take effect.