You simply don't add any authentication rules and by that the proxy won't authenticate. No need for any white-listing - just don't use authentication. If you have the auth ruleset enabled, simply disable it.
this seems to be the global whitelist if I am not mistaken.
What do you want to acchive? Unfiltered Internet Access for all or simply common scanning settings for all?
I would be careful with the Stop Cycle action. Using this will prevent any further rules (such as antimalware) from running. If one of your top rules is an "any any stop cycle", then no rules below it will be evaluated.
OK what I'm going to reach is:
I have proxy chain from two devices where the first one will be used for user access (currently without any authentication) and content filtering and after this is doing forwarding requests to parent proxy which is facing directly to Internet (this one will not do any scanning, just traffic routing).
What I suppose that I need to do is on first proxy:
- Create new ruleset which will be used for user access with new rule not doing anything but just including action “Continue”
After that define Next Hop Proxy ruleset with the rule with event "Enable Next Hop Proxy" using created list "Parent proxy servers".
And on the parent proxy define new rule set with only one rule allowing connection from list where is defined IP of child proxy from where is connection established (only child proxy is allowed to connect to parent proxy).
Is this configuration scenario correct?
Many thanks for your advices guys.
What is the purpose of your first rule? The "continue" is only used to "do not block, allow or authenticate" and is usually used in the events with setting a property, sending a notification, etc. As you have it, the logical evaluation is "For every request do nothing here, and process the next rule as you would"... not sure if this is a stub that you'll later extend to the auth piece, but as shown here it does nothing and can be removed.
Your last rule is correct, however I would suggest you may want to do it at the beginning of your ruleset if you want it to ALWAYS use the upstream proxy (depending on your environment)
If you set it at the beginning of the ruleset, the next hop proxy will be applied for every stop cycle (or possibly stop ruleset) that you have below it; This means, for example, you wanted to allow everyone access to microsoft.com, no matter if they're authenticated, one of your first rules would be a stop cycle for *.microsoft.com; if your next-hop-proxy was set before this, your request to microsoft.com will go via the upstream proxy.
If you set it at the end of the ruleset, then any stop cycle you do within the ruleset will skip over setting the next hop proxy. This may be useful for accessing internal resources, and could just as easily be done with a criteria where you set the next hop proxy (ex: instead of Always, condition url.host not in list *.mycompany.com, *.our-internal-site.local, then set next hop).
I hope this makes sense