Network Guys

Share your knowledge!

Sophos UTM Web Protection Workflow

Did you ever asked yourself how the web protection workflow is working within the Sophos UTM? Many customers have problems to understand the way the proxy works. The proxy can be used transparent (man-in-the-middle for http/https) or by “standard” where you use the proxy within your browser or WPAD. The proxy differentiates requests by source, person and time.

Here is a workflow graphic I made:

Sophos UTM Web Protection Workflow

this is a workflow of one of my basic configuration for my customers. But how did it look like in the Sophos UTM WebAdmin? I configured a virtual test appliance with the names and settings like above to make it clearer:


Profile for Server Area:


Profile for Office LAN:


Profile for Guests


I always configure new categories for the groups /purpose:


I recommend to configure from “behind to ahead”: Categories > Filter Actions > Filter Profiles. Here are my filter actions for this example:



  • Example 1
    • Server “CustomerDC01” with IP wants to update the Windows OS (http requests to
      • HTTP connection will be grabbed and allowed through the proxy because of global exception entry
    • Server “CustomerDC01” with IP wants to download SAP files from the internet
      • Connection will be grabbed, scanned for malware (transparently, no proxy needed within a browser or system)
  • Example 2
    • User “carl” (Member of GL_All and GL_FacilityManager) wants to access Facebook at 4 o’clock
      • Browser says to proxy “please go to facebook for me” > Proxy blocked website (because social media is only allowed from 12 am to 1 pm)


If you want further examples, feel free to comment. Have a nice weekend! :)

2 Responses

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives