How do I use Filter Exceptions?

Note: While the term "Filter Exception" naturally implies NOT filtering (which is often true), there are options that allow additional filtering, such as TCP/UDP port numbers to block. Setting up a "Filter Exception" really means handling a filtering-related exception condition, resulting in reduced or additional filtering.

This article has three (3) sections:

Creating Filter Exceptions

UseAccess > Filter Exceptions > Add to create a named "Filter Exception".

Existing items are listed above for easy reference. Below, a new exception called "TestException" is being created. Note that IP addresses, Ports/Protocols, and Pick-List options are used to configure the nature of the exception.

IP addresses

The Source and Destination ranges specify the IP addresses the exception should apply to. Source usually specifies the hosts in your organization making requests, that this exception will apply to. Destination can further specify specific Internet hosts or internal hosts (DMZ) that are trusted and for whom filtering would merely represent unneeded overhead. Together, Source and Destination provide granular and exact control over the machine-scope of a filtering exception.

A range of 0.0.0.0 to 255.255.255.255 (as shown above) implies any host.  A single host can be specified by entering the same address in source and/or destination IP startand IP end.  

Ports/Protocols

You may identify one or more ports and TCP and/or UDP protocols, and elect to ignore that port traffic (see 'No Filter') or block that port traffic (see 'Block').  A single port can be specified, a range of ports (i.e. 80-100) or a comma separated list (i.e. 8,10,20). The protocol to filter (TCP and/or UDP). Selecingt TCP and UDP will filter all IP protocols.

No filter

Prevents filtering for the specified network range.  Typically used to have iPrism NOT filter certain traffic between servers and trusted networks like a DMZ, or between servers and Internet hosts.  

Supported in Bridge (transparent) mode and Proxy mode.

Block

Blocks traffic on a specified TCP or UDP ports to or from a specific IP address  or range of addresses.

Supported in Bridge (transparent) mode (The nature of Proxy mode is that iPrism will only see web/ IM/P2P traffic only).

No Authentication

Prevents Authentication for the specified network ranges, causing  iPrism to filter based on Access > Networks profile assignments, not user/group profiles.  For example, this can be used to allow users to access corporate web sites that are located behind iPrism without having them enter their credentials.

Supported in Bridge (transparent) mode and Proxy mode.

Note: Be aware this filter exception can affect the [NonAuthenticatable] reporting category, please see:

[Unknown] and [NonAuthenticatable] Report Categories

NAT

"Network Address Translation" replaces  the IP address of the sender (i.e., the user) with the IP address of iPrism, for outbound traffic. A reverse translation is done to any responses coming back. The effect of NAT is that requests look like are coming from iPrism only. This setting hides the IP addresses of your internal workstations from the Internet.

Supported in Bridge (transparent) mode and Proxy mode

No Authentication & NAT

Combines NAT with No Authentication in one option. This means network assigned profiling & requests stamped as coming from iPrism (see NAT).

Supported in Bridge (transparent) mode and Proxy mode

Resolving Conflicts

If there is a conflict between the rules, and multiple actions are possible for a given transaction, the following priority list applies:

No Filter
Block
NAT (Network Address Translation)
No Authentication
No Authentication & NAT

For example, if one rule tells the system to block port 80 traffic and another tells it to allow it (No Filter), the No Filter exception wins. Filter rules are displayed in priority order so the first rule which applies will be the one that is  used.

How Do I ...

How do I NOT filter GoToMyPC on port 8200?

How do I NOT filter a workstation on my Network?

How do I NOT filter traffic going to a specific server?

How do I NOT filter traffic between Users and DMZ?

How do I NOT filter an ePrism mail filtering appliance?

iPrism Filtering Table

This table identifies what protocols are filtered (green & red), the mode of operation (bridge/proxy), and the port number being 'scanned' by iPrism, which can be fixed or dynamic depending on protocol/mode. Brief comments identify a related attribute or requirement of the Protocol/Mode pair.

Protocol

Install
Mode

Port or Feature

Comment

HTTP

Proxy

80

Port 80 Directed by Web Clients or Policy Based Routing.

HTTP

Bridge

Any Port

Kernel-Level Packet Analysis

HTTPS

Both

443 & 563

Supports secure web connection to iPrism

IM/P2P

Bridge

Any Port

Filter List URL Analysis

IM Only

Proxy

Any Port

IM Clients must proxy to iPrism

UDP

Bridge

'Filter Exception'

Admin Identifies Port Number(s)

TCP

Bridge

'Filter Exception'

Admin Identifies Port Number(s)