Sophos Ideas / Secure Web Gateway

Secure Web Gateway

Suggest, discuss, and vote on new ideas for Sophos Web Gateway. Complete web protection everywhere.

Suggest an Idea...

← Secure Web Gateway

X-Forwarded-For feature for web appliance

organisation uses the Google Apps suite quite heavily. We put so much load to them that they end up putting Captcha verifications on searches as per this doc: https://support.google.com/websearch/answer/86640?hl=en

A way to mitigate these things from happening in scenario’s where organisations may have all of their traffic exiting one or two public IP’s is to implement the X-Forwarded-For into the HTTP header. It means that the web server in question (eg Google) can differentiate between one client and the other.

13 votes
Sign in
(thinking…)
Sign in with: Facebook Google Sophos ID New Sophos ID
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Sanju Shrestha shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
Planned  ·  AdminRich Baldry (Senior Product Manager, Network Security Group, Sophos Features & Ideas Laboratory) responded  · 

We have implemented a back-end feature to add X-Forwarded-For headers to HTTP requests in version 4.2.0 of the Web Appliance. At present it must be enabled by Sophos support but we are considering adding it as a UI option in the future.

Note that this feature only works for non-secure HTTP so it may not help for the Google situation where the default is for traffic to use HTTPS. This is because with HTTPS, the headers are all part of the secured, encrypted communication within an SSL tunnel. There is no equivalent protocol that would work on SSL traffic.

8 comments

Sign in
(thinking…)
Sign in with: Facebook Google Sophos ID New Sophos ID
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    As part of an NHS Digital directive we have been asked to enable X-Forwarded-For. I'll be raising this as a service request to have it enabled, however, it would be good for the future to have the option in the console.

  • Peter commented  ·   ·  Flag as inappropriate

    jus to save yourselves some work, as a part of a large organisation, who have a large sophos footprint, we have just been advised to enable XFF, so if it was in the GUI, you'd get less support calls.

  • uɐɟǝʇS commented  ·   ·  Flag as inappropriate

    hi.. if this option will become available in the gui, there should be an option to set, which name is shown in the VIA header, as well: if using a load balanced SWA cluster, it might be handy to set only the SMAs name to be shown in the VIA header.

    thanks a lot for considering!

    (as customer request // sophtrac case 7027614)

  • Anonymous commented  ·   ·  Flag as inappropriate

    Necessary for client identification on other network systems.
    Squid has it implemented for a long time.

Secure Web Gateway: Web Appliance

Categories

Feedback and Knowledge Base

(thinking…)
icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.