Bypassing ProxySG authentication by using IP addresses
How do I create policy that will exclude certain IP addresses or workstations from authentication?
Some of the devices on the network are servers and I don't want those devices to be authenticated for Web access.
There are two options that you have when it comes to authentication by IP address.
This article will assume that all workstations, servers, devices, and so forth will be authenticated and that a few exceptions will be unauthenticated. The example below assumes that you already have an existing and functioning web authentication and web access layers.
EXCLUDING AUTHENTICATION BY IP ADDRESS
1.) Go into the Management Console for the ProxySG. The Management Console is located at https://<ip.address.of.the.proxysg>:8082/ .
2.) Click on the Configuration tab > Policy > Visual Policy Manager > Launch. The Visual Policy Manager (VPM) will load.
3.) Within the VPM, click on the Web Authentication Layer. Click on the "Add Rule" button. Highlight the rule and move it to be located just above your authentication rule.
4.) Click in the Source column and right click and select Set... > New... > Client IP Address/Subnet...
5.) A new window will pop up where you can put in an IP address or IP address range. Then click on the "Add" button. Once the addresses have been added, then click on the OK button. NOTE: If you want to add a single IP address, simply put in the IP address and then click the Add button. It is not mandatory to add the subnet for a single IP address. If you want to add the subnet mask, enter 255.255.255.255. For a network, you put in the network number and then the subnet. If I want to not authenticate any device on the 192.168.1.0 network, put that IP subnet in and then put in 255.255.255.0 for the subnet mask.
6.) Select the IP address that you just added and click the OK button. NOTE: There should be an icon with two computers next to each other. Next to that it should say: "Client: xx.xx.xx.xx/yy.yy.yy.yy" or "Client xx.xx.xx.xx".
7.) Go to the Action column. Right click and select Set... > Do not authenticate. NOTE: The behavior of the "Do not authenticate" action changed in some versions of SGOS. If this is a transparent proxy and you want to pass on credentials, it may be necessary to use the "Do not authenticate (forward credentials)" action instead.
8.) Now click on the Web Access Layer. Create a new rule after your deny rules (objectionable items that are being denied) but before the rule that has authenticated user as the source.
9.) In the new rule, right click on the Source column for that rule and select Set... > and then select the IP address or IP address range created in step 5 above. Change the Action from Deny to Allow.
10.) Install policy.
11) Test. Make sure authentication is not occurring for the bypassed list. If you were getting prompted for authentication, or if an application did not work because authentication was present, those problems should be solved.
NOTE: If you want to authenticate workstations on a particular network and everything else bypasses authentication, then in your authentication rule, add the network IP address as the Source. Then another rule should be added