Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Web authentication for servers

New XG deployment (SFOS 18.0.4).

I created a few web policies so that we can control what websites authenticated users can go to. Seems to work fine.

I have about a dozen servers (some linux but most Windows) that run Services. The services will run even if I reboot the server but don't log into it. This is by design. I want/need to make sure that these servers are always able to communicate out to the Internet if required. I don't want to have to log into the server as a user, just so the server can get out to the internet.  Is there a way to exclude hosts (servers) from having to authenticate with the firewall?   

(FWIW: I believe in UTM a solution was to add the servers to the Transparent Mode Skiplist.)

  • Are those system in the same subnet as your current network? Then place a Firewall rule above your proxy firewall (LAN to WAN) and tell XG to no use a webfilter in this firewall rule. 


  • Yes the servers are in the same subnet as my workstations. If I create a rule that does not use a web filter and place it higher in the list, wouldn't ALL hosts (workstations and servers) use that rule?

  • You essentially can copy/paste the option of UTM by creating a Firewall rule with source hosts your servers and WAN ANY. 

    The servers will bypass the entire proxy. 

    Coming next should be a LAN to WAN Rule to pickup every client. 

    XG uses a first match rule. 

    Filtering criteria are: Source IP, Destination IP, Service. 

    Source IP can be: Username (matched to a IP), IP Address, Network Zone. 


  • Yes, all host included within this rule will use the rule.
    A second option (if you wish to see the server-communication more detailed) is to create a "clientless user" for every server.
    This creates a "user" for the IP specified. Reporting and "current activities is more detailed so.


    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.