Explicit Proxy: HTTP Web Proxy
To replace your current proxy server, you can configure the settings in the Explicit Proxy to enable your Firebox as an explicit web proxy server for HTTP traffic. When you configure the Explicit Proxy, you select the HTTP proxy action to use for connections to your network, and specify the options to configure your client web browsers to send requests directly to the IP address of the Firebox over TCP port 3128 (the port for the Explicit Proxy). All HTTP traffic to your network is examined by the Explicit Proxy and the subscription services that you have configured on your Firebox.
The Explicit Proxy does not cache web data.
When you use the Explicit Proxy, the Firebox adds a Via Header to HTTP requests and responses. A Via Header tells the server which proxies sent the request. The Via Header can contain the Firebox IP address or an alias that you can customize.
The Firebox supports the use of PAC (Proxy Auto-Configuration) files distributed by WPAD through DHCP on the Firebox. For more information about PAC Files, see Explicit Proxy: PAC Files and Client Web Browser Configuration.
For information about how to configure client web browsers, see Explicit Proxy: PAC Files and Client Web Browser Configuration.
If you use the Explicit Proxy for connections to your network, you can force your users to authenticate before they can connect to your network. When you enforce authentication in the Explicit Proxy, unauthenticated connections are redirected to the Firewall authentication page. For more information about how to configure Firewall authentication, see Firewall Authentication.
Configure an Explicit Proxy Policy
- Select Firewall > Firewall Policies.
The Policies page appears. - Click Add Policy.
The Add Firewall Policy page appears. - Select Proxies.
- From the Proxies drop-down list, select Explicit-proxy.
- Click Add Policy.
- Select Edit > Add Policy.
The Add Policy dialog box appears. - Expand the Proxies list.
- Select Explicit-proxy.
- Click Add Policy.
Configure the Proxy Action for the Explicit Proxy
When you add the Explicit-proxy policy, the predefined proxy action Explicit-Web.Standard is automatically selected. Because you cannot edit a predefined proxy action, you must clone the proxy action and then configure the settings for the cloned proxy action.
- On the Explicit Proxy Add Policy page, select the Proxy Action tab.
The Proxy Action page appears, with all the category settings tabs.
If (predefined) appears adjacent to the Proxy Action drop-down list, you must clone the proxy action before you can configure the proxy action settings. - From the Proxy Action drop-down list, select Clone the current proxy action.
The page refreshes and the cloned proxy action appears, with all the options available. By default, the name of the cloned proxy action is Explicit-Web.Standard.1. - To change the name of the cloned proxy action, in the Name text box, type a new descriptive name for the proxy action.
- From the Explicit Web Proxy drop-down list, select HTTP/FTP.
The HTTP/FTP settings, Web FTP, and Captive Authentication settings appear.
- Configure these settings as appropriate for your network:
Via Header
A Via Header tells a server which proxy sent the request. The Via Header can contain the Firebox IP address or an alias that you can customize.
Web FTP
Configure this option to enable the Explicit Proxy to send FTP traffic over HTTP (Web FTP). For more information, see Explicit Proxy: FTP over HTTP.
Captive Authentication
To force users to authenticate before they can connect to websites, select Enforce Authentication. Users who are not already authenticated are redirected to the Firewall authentication page when they try to connect to the Internet, when traffic from your network is sent through the Explicit Proxy.
- Click Save.
- Select Setup > Actions > Proxies, select the Explicit-Web.Standard proxy action, and click Clone.
Or, in the New Policy Properties dialog box for the Explicit-proxy policy, adjacent to the Proxy-action drop-down list, click
.
The Clone Explicit Web Proxy Action Configuration dialog box appears. By default, the name of the cloned proxy action is Explicit-Web.Standard.1. - To change the name of the cloned proxy action, in the Name text box, type a new descriptive name for the proxy action.
- From the Categories tree, expand Explicit Web Proxy and select HTTP/FTP.
The HTTP/FTP settings, Web FTP, and Captive Authentication settings appear.
- Configure these settings as appropriate for your network:
Via Header
A Via Header tells a server which proxy sent the request. The Via Header can contain the Firebox IP address or an alias that you can customize.
Web FTP
Configure this option to enable the Explicit Proxy to send FTP traffic over HTTP (Web FTP). For more information, see Explicit Proxy: FTP over HTTP.
Captive Authentication
To force users to authenticate before they can connect to websites, select Enforce Authentication. Users who are not already authenticated are redirected to the Firewall authentication page when they try to connect to the Internet, when traffic from your network is sent through the Explicit Proxy.
- Save the configuration to the Firebox.
Explicit Proxy Policy and PAC File Download Policy
When you add an Explicit-proxy policy, the Firewall allows Any-Trusted and Any-Optional to the Firebox on port TCP 3128. A WG-PAC-File-Download policy is also automatically added to the Firebox configuration. The WG-PAC-File-Download policy allows client web browsers to download the PAC file that contains the information necessary to configure the client to use the Firebox as the explicit proxy server. This policy allows traffic from Any-Trusted and Any-Optional to the Firebox on TCP port 4125.
Explicit Proxy: PAC Files and Client Web Browser Configuration