Blocking HTTPS access for facebook
Created: 29 Jan 2013 | Updated: 29 Apr 2013 | 7 comments
This issue has been solved. See solution.
Very much aware of this KB from Symantec:
http://www.symantec.com/business/support/index?pag...
But is it possible to block any website even if it is accessed using HTTPS and SWG is inline mode?
As far as we know, other products seem to work on this one.
Any ideas to have a solution for this? Very appreciated if there will be just one.
Thanks.
Discussion Filed Under:
Comments 7 Comments • Jump to latest comment
It is not possible to selectivly block https in inline or span/tap mode with the SWG, proxy mode was added to deal with https inspection.
You may be able to use your internal DNS server to redirect domains wish to block entirely.
As per your link and the article below, it may be possible if you use an external proxy and place the SWG inline between the proxy and the endpoints:
http://www.symantec.com/docs/TECH178689
http://www.cstl.com/
Noted on your comments.
My current worries is that the secured website for Facebook is allowed to be accessed once SWG is in inline mode.
I tried before to include facebook.com within the blacklist. But nothing happened. I could still access their https site.
By the way, the setup is currently Inline + Proxy.
Hope you could help me a lot on this.
Thanks.
If you have the SWG in Inline+Proxy mode, then the most effective way you can block https access to facebook is to configure all your user endpoints to use the SWG as their proxy. If you combine this with firewall rules to restrict web traffic from the user subnets, forcing them to go via the SWG proxy for web access, and you should be away.
Is there any reason why you're focussing upon the Inline traffic?
http://www.cstl.com/
as per client's setup (which is a school). it was set as inline+proxy because they would want also to give internet access to their students who use their devices. also, they wanted their employees to be restricted from accessing some websites. but either way, they still wanted some sites to be restricted from being accessed.
I would like to request an enhancement to the Web Gateway. As mentioned earlier, other products can block HTTPS via inline or span/tap mode.
In larger organizations, using a proxy server is complicated and cumbursome. Espcially when there are other products that have this feature already.
What would it take to have this added? The Web Gateway just needs to block HTTPS via a DNS lookup, it does not need to inspect the secure traffic.
very much noted. looks like they need to use proxy to block https.
very thanks for the help.
Would you like to reply?
Login or Register to post your comment.