About the authentication policy wizard
Filter HTTPS Traffic
When Filter HTTPS traffic is turned on, you must specify how the Smoothwall Filter handles HTTPS requests without a Server Name Indication (SNI). SNI provides the domain name for transparent HTTPS requests. Without this, only the IP address is known, making it difficult to distinguish genuine requests.
Note: Some clients make HTTPS requests without Server Name Indication (SNI), such as, the Google Chrome updater, older versions of Google Drive, and Dropbox, so valid requests might be blocked.
- Block HTTPS traffic with no Server Name Indication (SNI) header
- Allow Transparent HTTPS incompatible sites — HTTPS traffic that doesn't contain Server Name Indication (SNI), and whose originating IP address is listed in the Transparent HTTPS incompatible sites Standard category is allowed through without further filtering. All other HTTPS traffic without Server Name Indication (SNI) is blocked.
- Filter using name from certificate — All HTTPS traffic that doesn't contain Server Name Indication (SNI) is filtered accordingly, based on the domain name taken from the destination server's certificate.
- Allow Transparent HTTPS incompatible sites and filter others using name from certificate — This is a combination of the previous two options: if the originating IP address is listed in the Transparent HTTPS incompatible sites category then HTTPS traffic is allowed through without further filtering, else the originating domain is taken from the server's certificate and traffic filtered accordingly.
Note: Some certificates use wildcard characters in domain names, such as, *.google.com. The Smoothwall Filter treats these as normal characters. Therefore, they should be listed as such when used in categories.
For multiple external connections, with the Smoothwall Filter spoofing you can make use of source NAT and link load balancing policies (see the help topic, Adding exception rules for traffic generated by the Smoothwall Filter and Firewall) to manipulate traffic to use specific links. For example, forcing one group of users to use one link and another group of users another link, based on their source IP address.
Note: For networks that make use of multiple Smoothwall Filters, such as in a cluster or centrally managed configuration, you should take steps to make sure that reply packets addressed to the spoofed client are routed back through to the same Smoothwall. This ensures that data is returned properly to the correct client.
Tip: If the Bandwidth module has been installed on your Smoothwall, you can control the bandwidth used by the Smoothwall Filter traffic, for example, limiting bandwidth available to your network with bring your own devices (BYOD). To take advantage of the full functionality of the Bandwidth module, you need a Layer 7 license.