Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 1741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web authentication for servers

ecar13

New XG deployment (SFOS 18.0.4).

I created a few web policies so that we can control what websites authenticated users can go to. Seems to work fine.

I have about a dozen servers (some linux but most Windows) that run Services. The services will run even if I reboot the server but don't log into it. This is by design. I want/need to make sure that these servers are always able to communicate out to the Internet if required. I don't want to have to log into the server as a user, just so the server can get out to the internet.  Is there a way to exclude hosts (servers) from having to authenticate with the firewall?   

(FWIW: I believe in UTM a solution was to add the servers to the Transparent Mode Skiplist.)



This thread was automatically locked due to age.
Parents
  • 0

    Are those system in the same subnet as your current network? Then place a Firewall rule above your proxy firewall (LAN to WAN) and tell XG to no use a webfilter in this firewall rule. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes the servers are in the same subnet as my workstations. If I create a rule that does not use a web filter and place it higher in the list, wouldn't ALL hosts (workstations and servers) use that rule?

  • 0 in reply to ecar13

    You essentially can copy/paste the option of UTM by creating a Firewall rule with source hosts your servers and WAN ANY. 

    The servers will bypass the entire proxy. 

    Coming next should be a LAN to WAN Rule to pickup every client. 

    XG uses a first match rule. 

    Filtering criteria are: Source IP, Destination IP, Service. 

    Source IP can be: Username (matched to a IP), IP Address, Network Zone. 

    __________________________________________________________________________________________________________________

  • 0 in reply to ecar13

    Yes, all host included within this rule will use the rule.
    A second option (if you wish to see the server-communication more detailed) is to create a "clientless user" for every server.
    This creates a "user" for the IP specified. Reporting and "current activities is more detailed so.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to ecar13

    Yes, all host included within this rule will use the rule.
    A second option (if you wish to see the server-communication more detailed) is to create a "clientless user" for every server.
    This creates a "user" for the IP specified. Reporting and "current activities is more detailed so.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data
Unfiltered HTML