Create Exception for Webproxy Authentication

Hello seroal,

Thank you for reaching out to the community, may we know which websites you are adding into the web > exception ? If you can share the sites url and a screenshot of the exception you have created ? 
> Bypass the web proxy in transparent mode: https://support.sophos.com/support/s/article/KB-000037190?language=en_US
> Example of  web exceptions for Office 365: https://support.sophos.com/support/s/article/KB-000038173?language=en_US

Hello Vivek,

I´ve looked into the first link. This doesn´t apply, because it´s describing how to bypass the transparent proxy and furthermore, it does not especially clarify the question, how someone could avoid authentication for a specific website.

In other words: I want to use classic proxy functionality, but I also want to authentication disabled for certain websites, because Applications may not support authentication (or cannot show an authentication popup).

Basically it looks like this, but it applies to any destination you can imagine.

I also took a look here, and that actually sounds interesting:

docs.sophos.com/.../index.html

I also tried disabling "use web authentication for unknown users" but then, no authentication at all will happen anymore. From the admin-help I understand, that authentication should happen based on the webpolicy settings, if I set "use web authentication for unknown users" to off. Is that right?

Maybe I should have it set to off, to have my requirements met. But the missing point is then, that authentication is not happening anymore and user has not the rights, he should have.

Hey seroal,

Thank you for quick information, try using the following URL pattern matches: 
^([A-Za-z0-9.-]*\.)?web\.de/
^([A-Za-z0-9.-]*\.)?web\.de/consent-management/
=================================================
The site falls under the category of Portal sites > so ensure under the web policy used it does not conflict in the web policy rules. 

And are you using web base authentication i.e., captive portal ? 
Then leave the  "Match known users." & "Use web authentication for unknown users" option enabled with mentioned users or groups. 

Also ensure a plain FW rule is created with only DNS service allowed without any  "Match known users." & "Use web authentication for unknown users" option enabled or any web, application or IPS policy applied - keep that to none. 

Hi,

thanks for your quick reply, I also tried that Regex Patterns, it doesn´t change anything.

The site falls under the category of Portal sites > so ensure under the web policy used it does not conflict in the web policy rules

-->What do you mean by that? If I create an exception, this should overwrite all other policy settings, right?

And are you using web base authentication i.e., captive portal ? 
Then leave the  "Match known users." & "Use web authentication for unknown users" option enabled with mentioned users or groups.

--> Yes, the Web authentication wis being used and works fine.

But the main question is still unanswered: How a certain website can be excempted from authentication. In UTM this could be easily done. with creating an exception. FOr this website the firewall then was not requesting authentication. This was necessary for applications, that did not support authentication.

is there a solution?

Thanks.

Hey seroal,
Yup, that should override.  

Now regarding skipping an authentication: You can create a FQDN base rule on the top [above all the rules.] 

The correct name for the proxy mode, that I am talking about here is "direct proxy mode".

So here your Sophos is a gateway device or not ?
> Web proxy deployment modes: https://support.sophos.com/support/s/article/KB-000036493?language=en_US
>  Configure a direct proxy when not the gateway device: https://support.sophos.com/support/s/article/KB-000035921?language=en_US

Yes, it´s a gateway device, but direct proxy is in use primarily (historical).

Then try creating an FQDN base rule on the top, perform a packet capture via GUI diagnostics and see whenever an authenticated user tries to access that site, does it pass it from the correct rule or it passes from a rule which has authentication enabled ?

Hello,

that is not a problem, this is working. But normally I do not want to create extra firewall rules for proxy exceptions. It should be possible through creating an exception, like in UTM. Or is this not possible in XG?

Thanks.

Move away from the old Proxy and go to DPI Engine. 

On UTM, you did authentication only for Web Traffic (due the lack of integration). So in UTM you did this only for the web proxy and http/s.

In SFOS you can do it for every port. Therefore you can do the authentication with STAS, Endpoint etc. So you cannot workaround this kind of authentication, as the part of "which website do you try to get", is to late. The firewall already knows the authentication for this website. 

Then do the DPI (decryption) and proxy with the firewall rule. 

So get the authentication for the Client A, then you do not have to worry about "I do not want to auth for this particular website". Instead you can allow the access with the web protection rules. 

In the end, why do you want to create such a Exception at all? Why did you do this on UTM? 

Move away from the old Proxy and go to DPI Engine. 

On UTM, you did authentication only for Web Traffic (due the lack of integration). So in UTM you did this only for the web proxy and http/s.

In SFOS you can do it for every port. Therefore you can do the authentication with STAS, Endpoint etc. So you cannot workaround this kind of authentication, as the part of "which website do you try to get", is to late. The firewall already knows the authentication for this website. 

Then do the DPI (decryption) and proxy with the firewall rule. 

So get the authentication for the Client A, then you do not have to worry about "I do not want to auth for this particular website". Instead you can allow the access with the web protection rules. 

In the end, why do you want to create such a Exception at all? Why did you do this on UTM?