Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.

Bypass Web Protection for non Authenticatd users e.g. Guests

Hi there,

i configured WP with transparent mode and AD-SSO. Works!

When non AD-Users try to surf, they get a DNS error because of missing the Firewall in internet settings (Local Zones)

AD users get the sites by GPO.

What can ido?

  • Hi ,

    Thank you for reaching out to the Community! 

    You can bypass your guest users from the transparent web proxy. Navigate to the Web Protection > Filtering Options > Misc >  Transparent Mode Skiplist > Skip Transparent Mode Source Hosts/Nets. You could define the guest network, and guest users' traffic will be bypassed from the web proxy. 

    Thanks,

     

     
    H_Patel

    Community Support Engineer, Support & Services | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi H_Patel

    thanks for your response. 


    There´s no WIFI, only LAN. So quests get the same IP-Range like emplpyees.
    How can i distinguish emplpyees guests and empoyees to create a guest network?

    Thanks alot.

  • There is quite a bit of non-browser traffic on your Active Directory PCs - Automatic updates for Adobe, Java, Antivirus; operating system overhead, etc.    You also have to consider any use of PC-local accounts on AD machines, as well as the non-AD machines like Linux, tablets, and cell phones.   You can get around some of this by doing device-specific authentication within your primary profile:   Specify Windows devices to use AD SSO and non-Windows devices to use Authentication None.  But you still have a problem for non-AD traffic from Windows PCs, so it cannot solve the whole problem.

    My suggestion:   

    Use Standard Mode with AD SSO authentication for AD users on web browsers.  Use Transparent Mode with authentication None for everything else.   (Do not fall into the trap of thinking that the two methods are mutually exclusive; they work best when used together.)   Using both modes will ensure that all traffic is protected, while also ensuring that no traffic is blocked for dumb reasons.   

    How I handle the exceptions:

    Bypassing the web proxy is required for some things, but it should be enabled on an exception basis only.  I create tags like "Web Proxy Bypass", "Allow Program Downloads", and "No Authentication".   These are assigned to destination websites using the [Webites] tab.   Then I have an Exception object for each of the tags, which configures the features corresponding to the tag name.    It avoids a lot of regular expression errors.

  • Hallo and welcome to the UTM Community!

    Anytime you get advice from DouglasFoster, you should give it serious consideration.

    You also might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA