Screencasts - Hilfsvideos

Policy configuration to inspect/block access to https sites

Created: 08 März 2013 | 9 Kommentare
das Bild der diabolicus23s

I've SWG in proxy mode.

I know I can configure it in order to block access to https sites too (such as https://www.twitter.com and so on). Could you tell me some hint in order to do that in the best possible way?

Thanks a lot

Kategorien für Diskussion:

Kommentare KommentareZum neuesten Kommentar

das Bild der SMLatCSTs

In very basic terms, it's just a matter of setting up a SSL Deep Inspection policy to allow the SWG to see SSL encrypted traffic as well as normal traffic of lower priority, then setting up a URL filtering policy to control what is allowed and what isn't.

Do you have a specific use case in mind?

das Bild der diabolicus23s

These are the steps I've performed:
set up SSL Deep Inspection in Administration-Configuration-Proxy;
create first (on top) policy with SSL Inspection checked and Intercept for all categories;
create second policy for url filtering that permit all except one category.

At this moment I've 2 doubts (other will arrive soon smiley)

First one

If I go to an allowed https site, everything seems to be ok. I see the inspection in the report.

I I go to a blocked https site, I did not receive the blocking page but the browser error such as "unable to connect" (in firefox).
I thought that this behaviour could be caused by a non intercepted category, but I intercept all of them.

Second one

If SWG inspect SSL traffic, shouldn't I be warned about certificate problems? I thought SWG present its own certificate to the client browser but this does not happen.

das Bild der SMLatCSTs

Hmmmmmm, can you confirm what port your client is connecting to the SWG on for https access?

It sounds as if the endpoint is using the default SSL Domain level inspection rather than the SSL Deep Inspection port (ie.e its using the same port for both http and https, whereas they should be using different ports).

das Bild der diabolicus23s

You're right (and I'm a noob smiley).

The client had same port (8080) for all protocol.

The problem is that if I put, in the client, the configured port for SSL connection (8443) when I try to go to a HTTPS site I get "The proxy is refusing connections". 

SWG settings

Firefox setting

das Bild der SMLatCSTs

In that case can you confirm the SWG service is started?

You should be able to telnet it on the port specified...

das Bild der diabolicus23s

If I telnet on port 8080 I get black screen (connection works).

If I telnet on port 8443 I get black screen that closes after few seconds (but the port is opened).

Uhm.... update.

NetScan says that the port is NOT opened...

Why?

das Bild der diabolicus23s

I've tried to change the port... I've tried to reboot the virtual appliance... no way, the SSL port is not opened.

das Bild der SMLatCSTs

What version of the SWG are you using?

It sounds like you might have to update and/or reimage it using the fileconnect resources.

Oh yeah, assuming you're using v5.1, you could enable the network monitoring to check if the SWG is seeing this traffic too