Web requests are usually required to pass an authentication check. Smoothwall then:
- Matches the user with the web requests they made.
- Checks the Web Filter Policies that apply to that user or their User Group.
- Blocks or allows access to content.
Adding an Authentication Exception makes Smoothwall skip the authentication check. Smoothwall won’t apply the Web Filter Policies for the User Group to the user.
Instead, Smoothwall applies the Web Filter Policies for Everyone, and the User Group set in the Options for unauthenticated requests step of your Web Proxy authentication policy. This will usually be the Unauthenticated IPs group, but your organisation may have chosen a different User Group or Everyone.
This may allow users to access content they shouldn’t.
Additionally, Reports and Logs won’t show usernames, so you won’t be able to identify the source of Safeguarding breaches.
Scenarios where Authentication Exceptions are unnecessary
In most scenarios, you shouldn’t add Authentication Exceptions. Here are two examples customers often ask about.
Core Authentication and Out-of-band authentication
When the authentication method for the Web Proxy Authentication Policies is Core Authentication, Authentication Exceptions are not needed for clients using Out-of-band authentication (OOBA). This is because users are authenticated before web requests are made by the client rather than at the same time.
IDex Agent, Login scripts or RADIUS
IDex, Kerberos Authentication Scripts and RADIUS Authentication Methods don’t ask the client software to provide authentication, so you don’t need to configure Authentication Exceptions.
Scenarios where Authentication Exceptions are needed
If you use one of these Authentication Methods:
- Inline authentication methods like Kerberos
- SSL Login Page methods
The following scenarios outline when you need to add Authentication Exceptions.
Devices or applications can’t authenticate
Some web-enabled software can’t respond to authentication requests. This can include desktop software, mobile devices, and network infrastructure such as IP phones, switches and routers. Requiring authentication for these services would prevent access, so you need to add an Authentication Exception.
For devices unable to support MiTM, add the domain rather than URLs to the Category, then select this Category for the Authentication Exception.
Improving performance
You may need to add Authentication Exceptions for content used heavily by Windows, iPadOS, macOS, and ChromeOS. Not doing so may adversely impact the client operating system, Smoothwall system performance, the end-user experience and in the case of the SSL/Non SSL Login Page, the Smoothwall's local web server.