Skip to content

KB015: Configure Authentication Server Bypass

Last Updated: July 22, 2025

Applies To: HySecure Gateway 7.1 Service Pack 1 and above

Category: Authentication & Identity Enhancements

Overview

This guide explains how to configure authentication server bypass functionality that allows routing authentication requests from specified authentication servers to lower priority authentication servers based on endpoint WAN IP addresses. This feature provides flexible authentication routing for different network segments and enhanced control over authentication workflows in multi-server environments.

Prerequisites

  • HySecure Gateway 7.1 Service Pack 1 or higher.

  • Security Officer or Administrator access to HySecure management console.

  • Multiple authentication servers configured in authentication domain.

Authentication Domain Prerequisites

Multi-Server Configuration Required:

  • Authentication domain must have multiple authentication servers configured.

  • Higher priority authentication server (to be bypassed).

  • Lower priority authentication server (bypass target).

  • Proper server priority ordering established.

Bypass Availability:

  • Bypass Authentication Server option only appears when lower priority servers exist.

  • At least two authentication servers required in domain.

  • Server priority determines bypass routing.

Network Configuration

WAN IP Address Planning:

  • Identify endpoint WAN IP addresses for bypass.

  • Plan IP address ranges and subnets for bypass.

  • Consider dynamic IP address environments.

Step 1: Verify Authentication Domain Configuration

  1. Access Authentication Domain Settings

    • Login to HySecure management console as Security Officer/Administrator.

    • Navigate to Settings > Authentication > Authentication Domain.

  2. Verify Multi-Server Setup

    • Select authentication domain to modify.

    • Confirm multiple authentication servers are configured.

    • Note server priority order (Priority 1, Priority 2, etc.).

    • Ensure lower priority servers exist for bypass routing.

Step 2: Configure Bypass Authentication Server

  1. Edit Authentication Domain

    • Click Edit on desired authentication domain.

    • Navigate to Authentication Server section.

  2. Enable Bypass Configuration

    • Locate "Bypass Authentication Server" option.

    Note

    Option only available with multiple servers configured.

  3. Configure Bypass IP Addresses

    • WAN IP Address: Enter specific IP address for bypass.

    • IP Address Range: Configure specific range for bypass (e.g., 192.168.1.1-192.168.1.215).

    • Subnet Configuration: Enter subnet specifications bypass using CIDR notation (e.g., 192.168.1.0/24).

    • Combination Patterns: Use Use combination of specific IP addresses, range and subnet for complex routing.

Step 3: Apply and Test Configuration

  1. Save Configuration

    • Click Submit to apply bypass settings.

    • Verify configuration is saved successfully.

    • Check authentication domain summary shows bypass rules.

  2. Test Bypass Functionality

    • Test authentication from bypass IP addresses.

    • Verify routing to lower priority authentication server.

    • Confirm authentication from non-bypass IPs uses higher priority server.

IP Address Configuration Formats

Supported Configuration Types

Individual IP Address:

  • Format: 192.168.1.100

  • Use Case: Specific device or endpoint bypass.

IP Address Range (CIDR):

  • Format: 192.168.1.0/24

  • Use Case: Entire subnet bypass.

Multiple IP Addresses:

  • Format: 172.28.1.100, 172.24.1.221, 172.23.5.176

  • Use Case: Specific devices in different subnets.

Mixed Configuration:

  • Format: 192.168.1.100, 10.0.0.1-10.0.0.235, 172.16.0.0/12

  • Use Case: Complex network topology with multiple requirements.

Network Planning Considerations

Static vs. Dynamic IP Environments:

  • Static IPs: Direct IP address configuration.

  • Dynamic IPs: Subnet/range configuration preferred.

  • DHCP Environments: Plan for IP address changes.

  • Network Segmentation: Align with existing network design.

Authentication Flow (With Bypass)

Authentication Flow (Without Bypass)

Monitoring Bypass Activity

Log Information Includes:

  • Authentication bypass events with source IP.

  • Server routing decisions (bypassed vs. normal).

  • Authentication success/failure from bypass servers.

  • IP address matching results.

Accessing Bypass Logs:

  1. Navigate to Reports > Logs > Activity Logs.

  2. Filter logs using the search keyword authentication skipped.

  3. Review server routing decisions.

  4. Monitor authentication patterns by IP address.

Diagnostic Steps

Verify User's WAN IP Address:

  1. Check user's WAN IP address using online tools.

  2. Compare with configured bypass IP ranges.

Testing Procedures:

  • Test bypass functionality after configuration changes.

  • Verify authentication from bypass and non-bypass networks.

  • Monitor authentication logs for expected behavior.

Monitoring and Maintenance

Regular Review Tasks:

  • Review bypass configuration relevance.

  • Validate IP address ranges remain accurate.

  • Monitor authentication patterns and irregularities.

Notes

  • Bypass functionality requires multiple authentication servers in domain.
  • Security assessment recommended for all bypass configurations.

Contact Support: support@accops.com for bypass configuration assistance.