Smoothwall Filter & Firewall: Authentication Exceptions

This article applies to the Smoothwall Firewall & Filter On-Premise solution in either Hardware or VM form. 

A Primer on Authentication Exceptions

Authentication Exceptions provide a mechanism by which select categories of content, including Custom Categories, can be exempt from authentication checks/challenges made by the Guardian Web Filter. 

In a typical setup, where authentication is provided by the web-browser via Kerberos or NTLM, web requests made through the Guardian Web Filter are first required to pass an authentication check, which allows the Smoothwall to carry out group-mapping following the verification of the user's credentials, so that the proper policies can be applied. For categories of content in the Authentication Exceptions list, the authentication requirement is lifted, and the traffic is allowed to pass under the default group of Unauthenticated IP, or whichever group is assigned to unauthenticated requests on the Authentication Policy that accepts the traffic. 

It is important to note that any content listed in Authentication Exceptions will have no username attached in the Guardian Logs, as such care should be taken so that reporting or Safeguard Alerts are not compromised by poorly configured Authentication Exceptions.

Uses of Authentication Exceptions

The most direct and functional use of Authentication Exceptions is in setups where web-enabled software installed on clients makes web-requests outside of the web browser and may not be designed to respond to an authentication challenge issues - this includes desktop software, mobile device applications, and network infrastructure such as IP phones, switches and routers.  

In this instance the URL's called by the software may be put into a Custom Category and this category listed as an Authentication Exception to remove the authentication requirement and allow the requests to pass directly to the filter, at which point they will be subject to Web Filter and HTTPS Inspection policies targeted for, by default, the "Everyone" and "Unauthenticated IP" groups. 

A prime example of categories fit for Authentication Exception are:

  • Microsoft Office 365
  • iTunes
  • Software Updates
  • Smoothwall Products

In these cases, the categories contain content used heavily by Windows, iOS and MacOS, other heavily used software, and Smoothwall related products that may be running through the Guardian WebFilter.

NOTE: Out-of-band authentication methods, such as IDex Agent, Kerberos Logon Scripts and RADIUS, authenticate the user prior to any web-requests being made by the client, as such Authentication Exceptions is typically not needed for software running on clients authenticated by these methods and where 'Core Authentication' is listed as the authentication method on the Web proxy Authentication Policies. 

Setting Up Authentication Exceptions

  1. Log-in to your Smoothwall Filter & Firewall Admin UI.
  2. Navigate to Web Proxy > Authentication > Exceptions.
  3. From the left-hand field select any categories you wish to apply as an Authentication Exceptions and use the Add button to move the selection across.
  4. Save the page with the Save button to complete the configuration.