KB016: Configure Additional Authentication Bypass

Last Updated: July 22, 2025

Applies To: HySecure Gateway 7.1 Service Pack 1 and above

Category: Authentication & Identity Enhancements

Overview

This guide explains how to configure authentication bypass for Additional Authentication Servers based on endpoint WAN IP addresses through the HySecure management console. This enhancement brings previously backend-only configuration capabilities to the administrative interface, providing simplified management of authentication exceptions for specified endpoints.

Prerequisites

HySecure Gateway 7.1 Service Pack 1 or higher.
Security Officer or Administrator access to HySecure management console.
Authentication domain with Additional Authentication Servers configured.
Knowledge of additional authentication server configuration.

Feature Overview

Additional Authentication Server Bypass

Purpose:

Bypass all Additional Authentication Servers for specified IP addresses.
Allow certain network locations to skip additional authentication requirements.
Provide simplified authentication for trusted network segments.

Scope:

Only applies to Additional Authentication Servers.
Primary authentication servers remain unaffected.
Network-based bypass using WAN IP address detection.

Previous vs. Current Configuration

Before HySecure 7.1 SP1:

Backend configuration file modifications required.
SSH access to HySecure gateway needed.
Limited administrative accessibility.

HySecure 7.1 SP1 and Above:

Management console GUI configuration.
Real-time configuration changes.
No backend access required.
Standard administrative workflow.

Step 1: Access Authentication Domain Configuration

Login to HySecure Management Console
- Login as Security Officer or Administrator.
- Navigate to Settings > Authentication > Authentication Domain.
Select Authentication Domain
- Choose authentication domain with Additional Authentication Servers.
- Click Edit to modify domain configuration.

Step 2: Configure Additional Authentication Bypass

Locate Additional Authentication Section
- Scroll to Additional Authentication section in domain configuration.
- Find Additional Authentication Server configuration.
Enable Bypass Configuration
- Select checkbox Bypass All Additional Authentication Servers.
- This option enables WAN IP-based bypass configuration.
Configure Bypass IP Addresses
- WAN IP Address Field: Enter IP addresses, ranges, or subnets for bypass.
- Supported Formats:
  - Individual IP: 192.168.1.100
  - IP Range: 192.168.1.0 – 192.168.1.121
  - Subnet (CIDR): 10.0.0.0/16
  - Multiple entries: Separated with commas

Step 3: Apply and Validate Configuration

Save Configuration
- Click Submit to apply bypass settings.
- Verify configuration is saved successfully.
Test Bypass Functionality
Test authentication from bypass IP addresses.
- Verify additional authentication is skipped.
- Confirm authentication from non-bypass WAN IP addresses requires additional authentication.

Network Planning Considerations

IP Address Planning:

Document all bypass IP addresses and ranges.
Plan for dynamic IP address environments.

Network Security Alignment:

Ensure bypass networks are appropriately secured.
Regular validation of network trust boundaries.

Authentication Flow with Additional Authentication Bypass

Authentication Flow (Without Bypass)

User provides primary credentials (username/password) and additional authentication.
Primary and additional authentication server validates user authentication.
Primary and Additional authentication server processes request.
Both primary and additional authentication must succeed for successful login.

Authentication Flow (With WAN IP Address based Bypass)

Primary Authentication
1. User launches client/HyLite portal.
2. WAN IP address checked against bypass configuration.
3. Primary authentication server validates credentials
Bypass Decision
- If WAN IP matches bypass configuration:
  - Additional authentication servers bypassed.
  - User granted access after primary authentication only.
- If WAN IP doesn't match bypass configuration:
  - Normal additional authentication flow continues.

Monitoring Bypass Activity

Log Information Includes:

Additional authentication bypass events.
WAN IP address matching results.
Authentication server routing decisions.
User authentication patterns by network location.

Accessing Bypass Logs:

Navigate to Reports > Logs > Activity Logs.
Search log using keyword additional authentication bypassed.
Review bypass decisions and IP matching.
Monitor authentication patterns by WAN IP Addresses.

Diagnostic Steps

Verify User's WAN IP Address:

Use online IP detection tools.
Check user's external IP address.
Compare with configured bypass ranges.
Account for NAT/proxy IP address translation.

Configuration Verification:

Review authentication domain configuration.
Verify Additional Authentication Server configuration.
Check bypass checkbox status.
Validate IP address configuration syntax.

Configuration Management

Change Management:

Follow organizational change management procedures.
Test bypass functionality after network changes.
Coordinate with network security teams.
Maintain audit trail of configuration changes.

Regular Review Tasks

Security Review:

Regular assessment of bypass necessity.
Validation of trusted network security.
Review of authentication security posture.
Analysis of authentication patterns and anomalies.

Configuration Maintenance:

Verify IP address ranges remain accurate.
Update bypass configuration for network changes.
Monitor bypass usage patterns.
Remove obsolete bypass configurations.

Notes

Configuration now available through management console GUI.
Requires Additional Authentication Servers in authentication domain.
All Additional Authentication Servers bypassed for matching WAN IP addresses.
Regular security review recommended for bypass configurations.

Contact Support: support@accops.com for bypass configuration assistance.