Configure Exemptions for Explicit Proxy Authentication
Table of Contents
Configure Exemptions for Explicit Proxy Authentication
Learn how you can exempt proxy traffic from authentication using a source,
destination, or both.
Using a web proxy allows you to use the
information from the proxy devices in your network through a unified interface.
However, resources such as printers or other IoT devices can't respond to
authentication requests from the proxy or support a certificate or PAC file.
You can exempt these devices from the authentication request from the proxy
using an address object for the source, a custom URL category exception list as the
destination, or both. Configuring an authentication exemption for the explicit proxy
ensures that traffic from these key resources isn't interrupted and allows traffic
from these trusted devices to pass through the proxy in compliance with your network
architecture.
You can create up to three web proxy
exemptions in your authentication policy.
- If you have not already done so, Configure Explicit Proxy then define the type of proxy traffic that you want to exempt from authentication requests.You can exempt traffic based on the source, the destination domain, or both.
- Configure an address object () that contains the source IP addresses of your trusted devices. The source IP can be an address or address group.
- Configure a custom URL category exception list ( ) that contains the destination URL domain or domains of the web services you want to allow.
- Enable the Authentication Portal if you have not already done so.This step is required to enforce the policy rule.
- Edit or create your authentication policy rule () and selectBypass Web Proxy Authentication.When you enable theBypass Web Proxy Authenticationoption, theAuthentication Enforcementoption on theActiontab is set toNone; you cannot change this setting while theBypass Web Proxy Authenticationoption is enabled.
- Define the type of proxy traffic that you want to exempt from authentication in your authentication policy rule andCommityour changes.You can exempt a source, a destination, or both.
- Select theSourcetab then select the address object you configured in the first step as theSource Addressand clickOK.
- Select theDestinationtab then select the URL category you configured in the first stepYou must create the custom URL category exception list before you can select it as a destination. You can't create a new custom URL category exception list as a destination during this step.
- Commityour changes and verify your configuration.
- View your policy rules () and confirm that a checkmark displays in theBypass Web Proxy Authenticationcolumn for the rules where you enabled the exemption.
- Depending on your authentication method, use the CLI commands to view the exemptions for proxy traffic.
- If you're using the SAML authentication method, you can use theshow counter global name ctd_eproxy_skip_auth_url_matchcommand to verify the configuration. This command displays the number of SAML authentication exemptions for proxy traffic.
- If you're using the Kerberos authentication service type, you can use theshow counter global name flow_swg_ep_kerberos_skip_authcommand to verify the configuration. This command displays the number of Kerberos authentication exemptions for proxy traffic.