Proxy tab
Connection
| Keep original source IP address | When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request. If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used. |
URL Filtering ( Extended Web Control base only)
| Action when classification of URL failed | The choice is either Pass or Block. If a URL has not been listed in a URL category, this action will determine whether access to the site will be authorized. |
| Allow IP addresses in URLs | An option allows authorizing or denying the use of IP addresses in the URL, meaning access to a website by its IP address instead of its domain name. Such a method may be an attempt to bypass URL filtering. If the option has not been selected and the URL queried (containing an IP address) cannot be classified by the URL filtering system, its access will be blocked. However, this option has been designed to be applied after the evaluation of the filter. As a result, internal servers that are contacted by their IP addresses will not be blocked if their access has been explicitly authorized in the filter policy (different from the pass all policy). Such access can be authorized via the firewall’s basic Network objects (RFC5735) or the “Private IP” group in the EWC URL database. |
NOTE
Regardless of whether the previous option has been selected, an IP address expressed differently from the format a.b.c.d will be systematically blocked.
HTTP protocol extensions
| Allow WebDAV connections (reading and writing) | WebDAV is a set of extensions to the HTTP protocol concerning the edition and collaborative management of documents. If this option has been selected, the WebDav protocol will be authorized in the Stormshield Network Firewall. |
| Allow TCP tunnels (CONNECT method) | The CONNECT method allows building secure tunnels through proxy servers. If this option has been selected, the CONNECT method will be authorized in the Stormshield Network Firewall. |
TCP tunnels: List of allowed destination ports
In this zone, specify the types of service that can use the CONNECT method.
| Destination port (service object) | The Add button allows you to add services objects database. To modify a service, select the line to be modified and make changes. Use the Delete button to delete the selected service. |
Advanced properties
Protection quality
| Check URL encoding | By selecting this option, the filter policy cannot be bypassed. |
Traffic sent to the server
| Add authenticated user to HTTP header | If the external HTTP proxy requires user authentication, the administrator can select this option to send data regarding the user (collected by the firewall’s authentication module) to the external proxy. |
Explicit proxy
The explicit proxy allows referencing the firewall’s proxy in a browser and sending HTTP requests directly to it.
| Enable "Proxy-Authorization" (HTTP 407) 'authentication | The browser will prompt the user to authenticate through a message window and the connection information will be relayed to the firewall via the HTTP header. NOTE For further information, refer to the help for the Authentication module, in the section “Transparent or explicit HTTP proxy and Multi-user networks” |