Sometimes you might need to bypass the web filter to get applications to work. More and more applications, like software updates and cloud interfaces are using web ports and protocols and unfortunately, not all of these are written with web proxy compatibility in mind. When applications do not work through a proxy, they need to bypass the proxy completely. Here we look at how to identify if that is required and how to configure proxy bypass effectively.
Identifying if proxy bypass is required
In general, there are three main reasons for applications not working when going through the proxy.
- Proxy authentication is used and the application cannot respond to authentication requests.
- Web filter policies block access or prevent access.
- The application traffic cannot work through a proxy.
Reason 1 is only applicable if Kerberos or NTLM proxy authentication methods are used directly on the proxy. If this is the case, the web filter log should show entries from the source IP with the result code of 407. To test this, go to the real time web filter log on the Smoothwall. Enter the IP address of the client and try to refresh the application. If the code column shows 407 (proxy authentication required) then note the target domain the client is trying to get to, add that to a custom category and include that category in the "Web proxy - Authentication - Exceptions" list.
Reason 2 can also be evident from the web filter logs. Any entries from the client showing with a red background or with the word "denied" in the category column, shows that some or part of the application traffic is being blocked. Initially try to add the domain that the application is trying to go to in a policy that is using the "Allow" action. Allowing content means that the Guardian web filter will bypass all types of policies for access to the target domain. If the application works after allowing the target domain, then further analysis can be done to narrow the exact cause. In the case of applications, it's often due to HTTPS inspection.
Reason 3 should be tested if neither reason 1 or 2 can be proven or has already been addressed and the application still does not work. One way of proving that it's the proxy access causing the issue is to add the client IP to the source list in "Guardian - Web filter - Exceptions" and then configuring the application or the operating system to use the Smoothwall proxy on port 801. This proxy port is only open to clients in the source exception filed and this goes directly to the proxy, bypassing all authentication and web filter policies. If the application does not work when this is done, the cause is most certainly the proxy access.
Once these troubleshooting steps have been done, it's time to consider bypassing the proxy to get the application to work.
Note: Bypassing the proxy should always be the last resort. Often it's used as the first when troubleshooting can't be done or there are time constraints and the application needs to work immediately. However, the more exceptions that are added, the less protected the network becomes, so consider all exceptions carefully before applying them.
Bypassing the proxy
Bypassing the proxy can be done in two ways.
- Adding the target domains/IP Addresses to proxy bypass settings on the client.
- Adding IP addresses to the transparent proxy bypass settings on the Smoothwall.
When the Smoothwall is used as a proxy only, with proxy settings on the client, only method 1 needs to be used. Additional configuration may be needed on the firewall to make sure outgoing web traffic is allowed.
When the Smoothwall is used as transparent proxy, then method 2 needs to be used. Firewall rules may need to be adjusted as well.
When the Smoothwall is used both as a firewall and a web filter, and proxy settings are used on the client with a transparent proxy as a backup, both methods need to be used. Firewall rules might need to be adjusted as well.
Adding exceptions to client proxy settings
The process for adding exceptions to client proxy settings depends on whether proxy settings are set directly on the client via group policy, the client is using PAC files or web proxy auto discovery. In all cases, the target domains need to be added to the exception lists. It might be needed to add target IP addresses as well, depending on how the client accesses the targets. If clients are using PAC files hosted on the Smoothwall, the "Web proxy - Web proxy - Automatic configuration" is used to add exception domains and IP addresses to the PAC file.
Adding exceptions to transparent proxy
Transparent proxy exceptions are added in the "Guardian - Web filter - Exceptions" destination addresses input field. Only IP addresses can be added here, not domains.