Supported decryption and proxy bypass settings

Because of the way single sign-on works, some bypass settings are either not supported, or may function differently for local and roaming users. Affected features are:

Authentication decryption bypass (accessed via the Web > Bypass Settings > SSL tab). This setting is used to disable authentication decryption for certain categories across all policies.
Authentication bypass by user agent or destination (accessed via the Web > Bypass Settings > Authentication Bypass tab). This setting completely bypasses authentication for specified user agents or hostnames across all policies.
SSL decryption bypass (accessed via Web > Policies > [policy name] > Web Categories > SSL Decryption Bypass). This setting is used to disable SSL decryption for specified hostnames within each policy.
Note: Non-proxied destinations are supported for both local and roaming users with SSO. Non-proxied domains are set globally on the Web > Bypass Settings > Proxy Bypass tab, or per policy under Web > Policies > [policy name] > Connections > Proxy Bypass . Non-proxied domains bypass the proxy service entirely.

Behavior differences when these features are used alongside single sign-on are detailed in the following table.

Feature	Supported for local users?	Supported for roaming users?
Authentication decryption bypass	Supported. Authentication is not performed: users can browse anonymously for policy enforcement and reporting purposes.	Not supported. All HTTPS requests for roaming users are decrypted for authentication purposes in order to identify the user. Since the bypass setting can only be applied when the user’s account has been identified, this setting is not applicable; roaming users will be authenticated.
Authentication bypass by user agent or hostname	Supported. Authentication is bypassed for specified user agents or hostnames. Users can browse anonymously for policy enforcement and reporting purposes.	Not supported. All HTTPS requests for roaming users are decrypted for authentication purposes in order to identify the user. Since the bypass setting can only be applied when the user’s account has been identified, this setting is not applicable; roaming users will be authenticated.
SSL decryption bypass	Not supported. If SSL decryption is bypassed for a hostname, SSO cannot be used. Users see the manual authentication welcome page.	Not supported. If SSL decryption is bypassed for a hostname, SSO cannot be used. Users see the manual authentication welcome page.

Feature

Supported for local users?

Supported for roaming users?

Authentication decryption bypass

Supported.

Authentication is not performed: users can browse anonymously for policy enforcement and reporting purposes.

Not supported.

All HTTPS requests for roaming users are decrypted for authentication purposes in order to identify the user.

Since the bypass setting can only be applied when the user’s account has been identified, this setting is not applicable; roaming users will be authenticated.

Authentication bypass by user agent or hostname

Supported.

Authentication is bypassed for specified user agents or hostnames. Users can browse anonymously for policy enforcement and reporting purposes.

Not supported.

All HTTPS requests for roaming users are decrypted for authentication purposes in order to identify the user.

Since the bypass setting can only be applied when the user’s account has been identified, this setting is not applicable; roaming users will be authenticated.

SSL decryption bypass

Not supported.

If SSL decryption is bypassed for a hostname, SSO cannot be used.

Users see the manual authentication welcome page.

Not supported.

If SSL decryption is bypassed for a hostname, SSO cannot be used.

Users see the manual authentication welcome page.