This article applies to the Smoothwall Firewall & Filter On-Premise solution in either Hardware or VM form.
A Primer on Authentication Exceptions
Authentication Exceptions provide a mechanism by which select categories of content, including Custom Categories, can be exempt from authentication checks/challenges made by the Guardian Web Filter.
In a typical setup, where authentication is provided by the web-browser (using transparent methods such as NTLM or Kerberos, or direct methods such as Proxy Authentication or SSL/NonSSL Login Page), web requests made through the Guardian Web Filter are first required to pass an authentication check, which allows the Smoothwall to carry out group-mapping following the verification of the user's credentials, so that the proper policies can be applied. For categories of content in the Authentication Exceptions list, the authentication requirement is lifted, and the traffic is allowed to pass under the default group of Unauthenticated IP, or whichever group is assigned to unauthenticated requests on the Authentication Policy that accepts the traffic.
It is important to note that any content listed in Authentication Exceptions will have no username attached in the Guardian Logs, as such care should be taken so that reporting or Safeguard Alerts are not compromised by poorly configured Authentication Exceptions.
Uses of Authentication Exceptions
The most direct and functional use of Authentication Exceptions is in setups where web-enabled software installed on clients makes web-requests outside the web browser and may not be designed to respond to an authentication challenge issues - this includes desktop software, mobile devices, and network infrastructure such as IP phones, switches and routers.
In this instance the URL's called by the software may be put into a Custom Category and this category listed as an Authentication Exception to remove the authentication requirement and allow the requests to pass directly to the filter, at which point they will be subject to Web Filter and HTTPS Inspection policies targeted for, by default, the "Everyone" and "Unauthenticated IP" groups.
A prime example of categories fit for Authentication Exception, and part of our recommended best practice, are:
- Microsoft Office 365
- Apple
- iTunes / AppStore
- Software Updates
- DNS over HTTPS
- Content Delivery
In these cases, the categories contain content used heavily by Windows, iOS/MacOS and ChromeOS, and exclusion from authentication requirements benefits both the smooth running of the client operating system, and also greatly reduces load on the Smoothwall's authentication service, and in the case of the SSL/NonSSL Login Page, the Smoothwall's local web server.
Failure to configure appropriate Authentication Exceptions can add undue load on the Smoothwall and adversely impact system performance, and by extension the end user experience.
NOTE: Out-of-band authentication methods, such as IDex Agent, Kerberos Logon Scripts and RADIUS, authenticate the user prior to any web-requests being made by the client, as such Authentication Exceptions is typically not needed for software running on clients authenticated by these methods and where 'Core Authentication' is listed as the authentication method on the Web proxy Authentication Policies.
Setting Up Authentication Exceptions
- Log-in to your Smoothwall Filter & Firewall Admin UI.
- Navigate to Web Proxy > Authentication > Exceptions.
- From the left-hand field select any categories you wish to apply as an Authentication Exception and use the Add button to move the selection across.
- Save the page with the Save button to complete the configuration.