Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Thread Info
  • State Suggested Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 77 views
  • Users 0 members are here
Options
Suggested

Web authentication for servers

ecar13
3 days ago

New XG deployment (SFOS 18.0.4).

I created a few web policies so that we can control what websites authenticated users can go to. Seems to work fine.

I have about a dozen servers (some linux but most Windows) that run Services. The services will run even if I reboot the server but don't log into it. This is by design. I want/need to make sure that these servers are always able to communicate out to the Internet if required. I don't want to have to log into the server as a user, just so the server can get out to the internet.  Is there a way to exclude hosts (servers) from having to authenticate with the firewall?   

(FWIW: I believe in UTM a solution was to add the servers to the Transparent Mode Skiplist.)

  • 0 3 days ago

    Are those system in the same subnet as your current network? Then place a Firewall rule above your proxy firewall (LAN to WAN) and tell XG to no use a webfilter in this firewall rule. 

    __________________________________________________________________________________________________________________

  • 0 3 days ago in reply to LuCar Toni

    Yes the servers are in the same subnet as my workstations. If I create a rule that does not use a web filter and place it higher in the list, wouldn't ALL hosts (workstations and servers) use that rule?

  • 0 3 days ago in reply to ecar13

    You essentially can copy/paste the option of UTM by creating a Firewall rule with source hosts your servers and WAN ANY. 

    The servers will bypass the entire proxy. 

    Coming next should be a LAN to WAN Rule to pickup every client. 

    XG uses a first match rule. 

    Filtering criteria are: Source IP, Destination IP, Service. 

    Source IP can be: Username (matched to a IP), IP Address, Network Zone. 

    __________________________________________________________________________________________________________________

  • 0 4 hours ago in reply to ecar13

    Yes, all host included within this rule will use the rule.
    A second option (if you wish to see the server-communication more detailed) is to create a "clientless user" for every server.
    This creates a "user" for the IP specified. Reporting and "current activities is more detailed so.

    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question click the 'Verify Answer' link.

Unfiltered HTML