This article only applies to organisations with a 'Hybrid' setup (both On-Premise Appliance and Cloud). Organisations with On-Premise only or Cloud only setups cannot use these instructions.
In a ‘Hybrid’ setup, your organisation will have both Cloud Filter and an On-Premise Appliance or a Virtual Machine handling local web traffic as a proxy server.
To prevent ‘double filtering’, which can cause issues when filtering is applied differently from Cloud Filter and On-Premise Appliance, you should select one platform from which to apply filtering.
- Option 1: Use On-Premise Appliance filtering: Segregate your Cloud Filter devices (Chromebooks, iOS, MacOS or Windows devices) into their own dedicated VLAN, so you can direct the On-Premise Appliance to ignore these devices when applying filtering. This is our recommended option.
- Option 2: Use Cloud filtering: You may have devices that can’t be segregated at the network level because your VLANs are in use, but shared with devices that don’t use Cloud Filter (such as BYOD networks, general WiFi, etc). In this case, these devices need to use Cloud Filtering by bypassing the On-Premise Appliance and using the ‘Secret Knock’.
As both options result in your devices not being filtered by the On-Premise Appliance, these devices should only have browsers installed with the Cloud Filter Extension to prevent unfiltered access.
Option 1: Use VLANs
To use On-Premise Appliance filtering, web traffic from the specific VLAN subnet bypasses filtering and is allowed outbound to the Internet by the Firewall.
Important
Don’t create a new Proxy Authentication policy so web traffic will pass through unfiltered.
You should route traffic from these devices past the On-Premise Appliance by segregating Cloud Filter devices into dedicated networks (VLANS).
- Add a VLAN interface.
- Add an IP address to the VLAN interface.
- Ensure client devices are configured via DHCP to use the new VLAN interface as their gateway. If you are using On-Premise Appliance to manage DHCP, see Managing DHCP servers.
If you have the On-Premise Appliance as part of the route out of the network, you won’t have VLAN interfaces set up in your On-Premise Appliance.
- Go to Guardian > Web Filter > Exceptions.
- Enter the VLAN subnet network range that you route from your core switch into the Source exception IP addresses field.
- Select Save.
Option 2: Use Cloud filtering
To use Cloud Filtering only, you should enable the ‘Secret Knock’.
Before you begin
- Ensure you can resolve the hostname of your On-Premise Appliance via local DNS.
- Check that you have set up an Internal Network interface to use.
Step 1: Enable Cloud Filter Bypass
- Sign in to On-Premise Appliance.
- Go to Network > Firewall > Smoothwall Access.
- Select Add, then Rule above.
- Configure these fields as follows:
- Add an easily identifiable name, such as Cloud Filter Bypass.
- Source IP addresses: Leave as Any.
- Inbound Interfaces: Select all your Internal interfaces.
- Destination IP addresses: Leave as Any.
- Services: Cloud Filter Bypass (6150)
- Groups: Leave as Any.
- Action: Accept
- Select the Log checkbox.
- Select Save changes.
Step 2: Enable the Secret Knock
- Go Guardian > Client interfaces > Cloud Filter.
- Move to the Secret Knock section.
- Enter the Hostname or IP of the On-Premise Appliance internal interface.
- Enter a refresh time in seconds to dictate how often the Cloud Filter devices request a bypass from the On-Premise Appliance. We recommend 600 seconds.
- Log out of the On-Premise Appliance to sync your changes to Cloud.