The proxies and the firewall

To understand how some particular connectivity issues can be fixed it is important to know how the proxies and the firewall work together to provide a safe and secure online environment.

These problems include:

  1. You have a device that needs to access the web but doesn’t have the ability to use proxy settings.
  2. You have some software that needs to access the web but doesn’t work through a browser and has no ability to use proxy settings.
  3. You have an application that does work through a browser but the proxies seem to be causing problems and you would like to bypass them.

So how do the proxies and the firewall usually work together?
The default position is that the web is accessible (on port 80 … for http, or port 443 … for https) but only via the proxies.  Any requests for access on ports 80 or 443 that are not directed through the proxies will attempt to get to the Internet straight through the firewall.  These requests will be rejected as the default position for the firewall is that requests for ports 80 and 443 are only allowed if they have come from a proxy.

Type 1 and 2 problems.
So if you have a problem of type 1 or 2 above the solution is to make a firewall rule to specifically allow the traffic concerned.  The Service Desk will be able to raise a service request for this on your behalf.  To do this they will need to know:

  • Whether access is required on port 80 or 443.
  • The source address of the device or devices concerned.  This could be the entire subnet of your school or one or more individual IP addresses.
  • The specific destination address.  (Firewall rules do require IP addresses … URLs are no good.)  This address is essential because if we were to allow access to the whole web on these ports without going through the proxies you would have no protection from the web filtering service.

Occasionally we have to set up firewall rules allowing traffic to avoid the proxies from the entire HICS subnet rather than just individual schools. If you would like further information on what is currently set up in this way, please get in touch.

But what if the devices you have are such things as iPads or smart phones, you do want them to access the whole web and you have lots of them?  In this case what you are looking for is probably our Transparent Proxy Service.

Type 3 problems.
Problems of type 3 above are slightly more complicated.  Usually bypassing the proxies is a last resort or sometimes just a temporary diagnostic tool to enable us to determine if the proxies really are the source of a problem.  You would still need to ask us to raise a service request as described above.  In this case the source address will be your entire subnet and we will still need the specific destination address.  But in addition to this you also need to enter a proxy exception into your browser’s proxy settings.  (This might appear as “Proxy Exceptions” or as “No proxy for:” … it does vary between browsers.)  The proxy exception you enter should be for the same IP address as we requested in respect of the firewall.  So … because of your proxy exception your browser will fire the request straight at the firewall and because of our firewall rule the request isn’t rejected.

… and finally …
If you have kept up so far you will see that this does give you the possibility of denying access to your users without using the Netsweeper web filtering system.  Suppose your school felt that http://www.somewhere.co.uk should be denied through the WF3 policy.  Suppose also we didn’t want to deny access through WF3 because we knew that most schools were happy with it being allowed.  You could enter http://www.somewhere.co.uk as a proxy exception in your browser (you can enter URLs as proxy exceptions) which would cause all requests for that URL to be directed straight at the firewall.  But as we have not created a firewall rule to match your proxy exception the firewall will reject those requests for the IP address that the particular URL resolves to.  So your users will not get to http://www.somewhere.co.uk.  As it will not be the proxies that are blocking them they will not see the usual “Access Denied” page … just a “Website could not be displayed” message.  That said this really is a cheap and cheerful approach to controlling access to the web.  It might be OK for the odd site but if you want run your own web filtering policies we have specific service to allow you to do that. See Devolved IP Level Filtering or Devolved AD Integrated Filtering.

Leave a Reply