This article applies to the Smoothwall Firewall & Filter On-Prem solution in either Hardware or VM form.
A Primer on Authentication Exceptions
Authentication Exceptions provide a mechanism by which select categories of content, including Custom Categories, can be exempt from authentication requests made by Guardian.
In a typical setup, where authentication is provided by the web-browser via Kerberos or NTLM, web requests made through the Guardian Web Filter are first required to pass an authentication check, which allows the Smoothwall to pair a logged-in username to the request and also carry out group-mapping based on the verification of the user's credentials. For categories of content in the Authentication Exceptions list, the authentication requirement is lifted and the traffic is allowed to pass under the default group of Unauthenticated IP, or whichever group is assigned to unauthenticated requests on the Authentication Policy.
It is important to note that any content listed in Authentication Exceptions will have no username attached in the Guardian Logs, as such care should be taken so that reporting or Safeguard Alerts are not compromised by poorly configured Authentication Exceptions.
Uses of Authentication Exceptions
The most direct and functional use of Authentication Exceptions is in setups where web-enabled software installed on clients makes web-requests outside of the web browser and may not be designed to respond to an authentication challenge.
In this instance the URL's called by the software may be put into a Custom Category and this category listed as an Authentication Exception to remove the authentication requirement and allow the requests to pass directly to the filter, at which point they will be subject to Web Filter and HTTPS Inspection policies targeted for, by default, the "Everyone" and "Unauthenticated IP" groups.
A prime example of categories fit for Authentication Exception are:
- Microsoft Office 365
- Software Updates
- Smoothwall Products
In these cases, the categories contain content used heavily by Windows, iOS and MacOS, other heavily used software, and Smoothwall related products that may be running through the Guardian WebFilter.
NOTE: Out-of-band authentication methods, such as Idex Agent, Kerberos Logon Scripts and RADIUS, authenticate the user prior to any web-requests being made by the client, as such Authentication Exceptions is typically not needed for software running on clients authenticated by these methods.
Setting Up Authentication Exceptions
- Log-in to your Smoothwall Filter & Firewall Admin UI.
- Navigate to Web Proxy > Authentication > Exeptions.
- From the left-hand field select any categories you wish to apply as an Authentication Exceptions and use the Add button to move the selection across.
- Save the page with the Save button to complete the configuration.