6 Replies Latest reply on Dec 2, 2015 10:27 AM by mitchese

    Allow access to proxy for everybody

    svokac

      Hello guys,

        I'm building testing proxy chain and I want test general functionality so I want allow access to everybody without authentication to first proxy in chain.

      Not sure is correct approach is Global whitelist -> Client IP is in list Allowed Clients but not sure what should be in case configured as source IP (0.0.0.0) doesn't work for me.

      If not please can you point me to the proper way how-to approach this task?

       

      Many thanks.

        • 1. Re: Allow access to proxy for everybody
          michael_schneider

          You simply don't add any authentication rules and by that the proxy won't authenticate. No need for any white-listing - just don't use authentication. If you have the auth ruleset enabled, simply disable it.

          Michael

          • 2. Re: Allow access to proxy for everybody
            svokac

            Hello Michael,

               this is fresh installation with deafult rules so I probably must add one.

            Will be working if I will add something like this?

            Capture.JPG

            Many thanks for your help.

            • 3. Re: Allow access to proxy for everybody
              michael_schneider

              Hello,

               

              this seems to be the global whitelist if I am not mistaken.

              What do you want to acchive? Unfiltered Internet Access for all or simply common scanning settings for all?

               

              thanks,

              Michael

              • 4. Re: Allow access to proxy for everybody
                mitchese

                I would be careful with the Stop Cycle action. Using this will prevent any further rules (such as antimalware) from running. If one of your top rules is an "any any stop cycle", then no rules below it will be evaluated.

                • 5. Re: Allow access to proxy for everybody
                  svokac

                  OK what I'm going to reach is:

                  I have proxy chain from two devices where the first one will be used for user access (currently without any authentication) and content filtering and after this is doing forwarding requests to parent proxy which is facing directly to Internet (this one will not do any scanning, just traffic routing).

                   

                  What I suppose that I need to do is on first proxy:

                  • Create new ruleset which will be used for user access with new rule not doing anything but just including action “Continue

                  Like this:

                  Capture.JPG

                  After that define Next Hop Proxy ruleset with the rule with event "Enable Next Hop Proxy" using created list "Parent proxy servers".

                  Like this:

                  Capture2.JPG


                  And on the parent proxy define new rule set with only one rule allowing connection from list where is defined IP of child proxy from where is connection established (only child proxy is allowed to connect to parent proxy).


                  Is this configuration scenario correct?


                  Many thanks for your advices guys.


                  • 6. Re: Allow access to proxy for everybody
                    mitchese

                    What is the purpose of your first rule? The "continue" is only used to "do not block, allow or authenticate" and is usually used in the events with setting a property, sending a notification, etc.  As you have it, the logical evaluation is "For every request do nothing here, and process the next rule as you would"... not sure if this is a stub that you'll later extend to the auth piece, but as shown here it does nothing and can be removed.

                     

                    Your last rule is correct, however I would suggest you may want to do it at the beginning of your ruleset if you want it to ALWAYS use the upstream proxy (depending on your environment)

                     

                    If you set it at the beginning of the ruleset, the next hop proxy will be applied for every stop cycle (or possibly stop ruleset) that you have below it; This means, for example, you wanted to allow everyone access to microsoft.com, no matter if they're authenticated, one of your first rules would be a stop cycle for *.microsoft.com; if your next-hop-proxy was set before this, your request to microsoft.com will go via the upstream proxy.

                     

                    If you set it at the end of the ruleset, then any stop cycle you do within the ruleset will skip over setting the next hop proxy.  This may be useful for accessing internal resources, and could just as easily be done with a criteria where you set the next hop proxy (ex: instead of Always, condition url.host not in list *.mycompany.com, *.our-internal-site.local, then set next hop).

                     

                    I hope this makes sense