Can SWG Block an HTTPS address?
| Article:TECH98131 | | | Created: 2009-01-16 | | | Updated: 2011-09-23 | | | Article URL http://www.symantec.com/docs/TECH98131 |
Problem
You want to know if SWG is able to block HTTPS sites
You configure a policy to block an HTTPS site by Domain name or IP Address but the policy does not work.
Example:
https://www.facebook.com and https://66.220.149.18 will NOT be blocked but http://www.facebook.com would be blocked if the policy is set to block www.facebook.com.
Environment
SWG 4.5.x or later handling HTTPS traffic via Inline mode (the embedded proxy available from SWG version 5.0 is not being used)
Cause
If the browser is not going through a proxy, when accessing an HTTPS website, the data (including URL) is encrypted and therefore SWG will not "see" the URL and apply the policy.
Solution
If you configure the browser to go through a proxy, the URL will not be encrypted and SWG will then be able to block HTTPS web sites.
Under certain scenarios, HTTPS websites will be blocked but the SWG blocking page will not be displayed. A browser error will be displayed instead. The type of error will depend on the browser. This is expected when an attempt to hijack* an HTTPS session occurs and therefore a limitation of the Inline Mode.
Notes:
* The redirection to the SWG blocking page uses the session hijacking method to work.
- SWG 5.0.x and later offers a proxy mode that is capable of monitoring and blocking HTTPS URLs.
|
|
Legacy ID
2009121609094654
Article URL http://www.symantec.com/docs/TECH98131
Terms of use for this information are found in Legal Notices
Thank you.