Exempt From Authentication

Captive Portal or SAML authentication methods, which are redirection-based methods, display a separate window for users to enter their credentials to continue. Some network issues might prevent the client systems from displaying these windows.

  • The source device (for example, a legacy server) is not compatible with redirection-based authentication.
  • A web application API call is not compatible with redirection-based authentication.

To mitigate this, add destinations and sources that you want exempted from authorization challenges.

Exemptable Sources Exemptable Destinations
IP addresses/Subnets Domains/URLs
Locations IP addresses/Subnets
Unified Agents Web Applications
Mobile Devices Categories

Tip: Symantec maintains a list of exempted sources and destinations, which are included in policies on assets in the datacenters.
KB Article

About Clients That Are Not Forms-Based

The Web Security Service has an option to exempt Unified Agent and mobile clients. Currently there is no use case to do this as these clients do not rely on redirection or forms-based authentication.

  • Unified Agent—The credentials are supplied at system logon. If Captive Portal is enabled, Unified Agent still prompts for credentials before web requests are allowed.
  • Mobile clients—The credentials are obtained from the installed certificate.

These options are here alternate authentication methods that might be supported in future Web Security Service versions.


  1. In the Web Security Service portal, select Service mode > Authentication > Authenticati Policy.
  2. Expand the Global Exemptions area.
  3. Click Add Auth Exemption. The portal displays the Auth: New Exemption Rule.
  4. Click Add Sources.

    • All already configured entries or lists populate any selection. For example, if you clickLocations, you can select from any location that currently sends traffic to Web Security Service account.
    • Unified Agents and Mobile Devices are static objects; selecting them means the exemption applies to all connections from each of those access methods.
  5. (Optional) If you need to quickly exempt a source, you can create a new entry from this wizard. For example, you need to immediately exempt a new IP address.

    1. Click IPs/Subnets.
    2. Select New > IP/Subnet.
    3. Enter a new address (or import a list from a text file).
    4. Click Save.
  6. Click Add Destinations.

    Select the destination elements that are exempt from authentication and click Save.

  7. Click Add Rule. This creates a new Auth Exemption policy rule.

  8. You can add additional rule. When satisfied, click Activate.
  9. Verify with your employees that their clients are no longer prompted for credentials because of the new policy.