Bypassing for Internal Servers

This option allows clients to access specific internal servers directly. You might choose this setup if you want to let users access internal web pages without routing requests through the appliance. When based on the Explicit Deployment, this option does the following:

  • Inspects HTTP, HTTPS, and FTP over HTTP traffic.
  • Supports individual user opt-outs.
  • Requires configuration for all clients.
  • If it fails, all clients must be reconfigured, although clients can be configured to bypass the web appliance should it fail.


  • Users’ HTTP, HTTPS, and FTP requests are examined by the PAC script or similar configuration and forwarded to the appropriate server: the web appliance or another server .
  • When requests are forwarded to the web appliance, it assesses the URLs, blocks disallowed requests, checks if allowed URL requests are currently cached, and passes URL requests that are not cached through the firewall to retrieve them from the internet .
    Note Port 80, port 443, and port 21 requests from users are blocked at the firewall ; URLs are only accepted by the firewall if they are from the web appliance .
  • The web appliance receives any new pages or files and caches them; it passes the pages or files of allowed requests back to the users .
  • The users receive only safe and allowed pages and files or a notification page.


  1. Connect your organization’s LAN to the web appliance’s LAN port.
  2. Configure each client with either a PAC file (the more flexible method) or by distributing the configuration to users via Active Directory Group Policy (the easier method).
    Note When using .pac files with Internet Explorer, we highly recommend disabling automatic proxy caching. Specific instructions can be found in this Microsoft Support article:
  3. In the web appliance’s administrative web interface, on the Configuration > Network > Network Interface page, set the Deployment mode to Explicit proxy.