X-Forwarded-For feature for web appliance
organisation uses the Google Apps suite quite heavily. We put so much load to them that they end up putting Captcha verifications on searches as per this doc: https://support.google.com/websearch/answer/86640?hl=en
A way to mitigate these things from happening in scenario’s where organisations may have all of their traffic exiting one or two public IP’s is to implement the X-Forwarded-For into the HTTP header. It means that the web server in question (eg Google) can differentiate between one client and the other.
We have implemented a back-end feature to add X-Forwarded-For headers to HTTP requests in version 4.2.0 of the Web Appliance. At present it must be enabled by Sophos support but we are considering adding it as a UI option in the future.
Note that this feature only works for non-secure HTTP so it may not help for the Google situation where the default is for traffic to use HTTPS. This is because with HTTPS, the headers are all part of the secured, encrypted communication within an SSL tunnel. There is no equivalent protocol that would work on SSL traffic.
As part of an NHS Digital directive we have been asked to enable X-Forwarded-For. I'll be raising this as a service request to have it enabled, however, it would be good for the future to have the option in the console.
Derek Prudhoe commented
Still no news on this being available in the GUI - is there any progress at all?
jus to save yourselves some work, as a part of a large organisation, who have a large sophos footprint, we have just been advised to enable XFF, so if it was in the GUI, you'd get less support calls.
hi.. if this option will become available in the gui, there should be an option to set, which name is shown in the VIA header, as well: if using a load balanced SWA cluster, it might be handy to set only the SMAs name to be shown in the VIA header.
thanks a lot for considering!
(as customer request // sophtrac case 7027614)
I can't find this feature in the UI. Where can I find it?
Necessary for client identification on other network systems.
Squid has it implemented for a long time.
Petr Benda commented
Platinum customer is requesting this feature.