Web Protection: Proxies and Profiles Mapping to Additional Addresses
I would like to have the same flexibility as using SNAT in the definition of the internal networks (as I have the dozen or so) for which the public IP address by the transparent proxy is to go to the Internet.
Unfortunately Fully Transparent HTTP Proxy does not offer this functionality.
Read more at http://www.astaro.org/astaro-gateway-products/general-discussion-feature-requests/25390-feature-requests-configuration-proxy-profiles-use-different-public-source-ip.html#post109466
As of 03 June 2017, this is now possible! See https://community.sophos.com/kb/en-us/126892 (How to change the outgoing interface for Web Filtering).
Rather than use the suggested method of enabling this capability, do the following as root:
cc set http enable_out_interface 1
Cheers - Bob
Cliff Galiher commented
Internet uplink balancing is not necessarily the same thing. It is not uncommon to have a single internet uplink with multiple public IP addresses. It'd be nice to be able to specify which public IP address an HTTP proxy profile should use. This could be done, for example, via additional IP addresses on an interface. But the actual uplink is still a single connection so "balancing" doesn't necessarily apply. Such a topology is useful when segregating guest traffic to its own public IP, for example.
One of my clients has employees of two different customers in their building. They have VPNs to those customers and each employee of the customers needs to use web apps over the VPN to their employer. Presently, the solution is to have a second proxy that's used as a parent proxy to relay through the tunnel. Please extend this idea with, for example, the ability to use ppp0 like eth0, thereby allowing a profile to be directed over a VPN without having to use another proxy.
Zach SeRine commented
badly need this
Bram, I think this already as been suggested: http://feature.astaro.com/pages/17359-astaro-gateway-feature-requests/suggestions/184039-websecurity-extra-transparent-http-proxy?ref=title
Massimo Dalla Giustina commented
For me it is usefull for smtp proxy. The v7.4 gives the uplink balancing feature but this works with phisical interface. Instead, with a single external interface with several IP aliases, it's not possible to bind the smtp proxy to a specific IP and other IPs to other internal (no proxed) smtp servers. I tried using the NAT and usually it works but sometimes the smtp proxy gets priority over the NAT rule...sometimes the smtp proxy get priority over the NAT rule...
Thanks to everyone for the votes submitted.
Please, take a look at one feature, the lack of which is pain in Astaro at
Ugur ALTINSARI commented
its a great work
Ali KAVAL commented
if you are using private ip blocks in LAN, all http proxy profiles go to internet same WAN ip address. we have to give different public ip addresses for each profile. We want to follow these profiles with different ip addresses in internet.
Ali Ihsan Kaval commented
we want to give different public IP address for each local networks in transparent proxy.
At http://feature.astaro.com/pages/17359-astaro-gateway-feature-requests/suggestions/184039-websecurity-extra-transparent-http-proxy you can find feature by which you can bind HTTP Proxy service to any interface of any public IP. Please vote there.
This is not the same.
It can start from the beginning. To be clear, with HTTP network traffic without running transparent proxy I can use SNAT to release on the outside using any interface and defined additional IP addresses. With Masquerading I can't.
As rightly noticed in the future will enable a new feature that is described in the thread Feature request: Masquerading for additional IP-addresses.
I personally think that this feature is redundant if the same effect is achieved using a SNAT.
But above all this is not my problem. My problem and my new feature request application for HTTP network traffic which uses a transparent proxy.
I just, I would like to have the same flexibility as using SNAT in the definition of the internal networks (as I have the dozen or so) for which the public IP address by the transparent proxy is to go to the Internet.
I hope this will help understand my problem and all the administrators who have lots of local area networks and would like to use transparent HTTP proxy on the outside have been shown under different public IP addresses.
Sascha Paris commented
This should already be possible since Version 7.4 and it's internet uplink balancing feature.