Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Policy configuration to inspect/block access to https sites

Created: 08 Mar 2013 | 9 comments
diabolicus23's picture

I've SWG in proxy mode.

I know I can configure it in order to block access to https sites too (such as https://www.twitter.com and so on). Could you tell me some hint in order to do that in the best possible way?

 

Thanks a lot

Discussion Filed Under:

Comments 9 CommentsJump to latest comment

SMLatCST's picture

In very basic terms, it's just a matter of setting up a SSL Deep Inspection policy to allow the SWG to see SSL encrypted traffic as well as normal traffic of lower priority, then setting up a URL filtering policy to control what is allowed and what isn't.

Do you have a specific use case in mind?

diabolicus23's picture

These are the steps I've performed:
set up SSL Deep Inspection in Administration-Configuration-Proxy;
create first (on top) policy with SSL Inspection checked and Intercept for all categories;
create second policy for url filtering that permit all except one category.

At this moment I've 2 doubts (other will arrive soon smiley)

First one

If I go to an allowed https site, everything seems to be ok. I see the inspection in the report.

I I go to a blocked https site, I did not receive the blocking page but the browser error such as "unable to connect" (in firefox).
I thought that this behaviour could be caused by a non intercepted category, but I intercept all of them.

 

Second one

If SWG inspect SSL traffic, shouldn't I be warned about certificate problems? I thought SWG present its own certificate to the client browser but this does not happen.

SMLatCST's picture

Hmmmmmm, can you confirm what port your client is connecting to the SWG on for https access?

It sounds as if the endpoint is using the default SSL Domain level inspection rather than the SSL Deep Inspection port (ie.e its using the same port for both http and https, whereas they should be using different ports).

diabolicus23's picture

You're right (and I'm a noob smiley).

The client had same port (8080) for all protocol.

The problem is that if I put, in the client, the configured port for SSL connection (8443) when I try to go to a HTTPS site I get "The proxy is refusing connections". 

SWG settings

 

Firefox setting

SMLatCST's picture

In that case can you confirm the SWG service is started?

You should be able to telnet it on the port specified...

diabolicus23's picture

If I telnet on port 8080 I get black screen (connection works).

If I telnet on port 8443 I get black screen that closes after few seconds (but the port is opened).

 

Uhm.... update.

NetScan says that the port is NOT opened...

 

Why?

diabolicus23's picture

I've tried to change the port... I've tried to reboot the virtual appliance... no way, the SSL port is not opened.

SMLatCST's picture

What version of the SWG are you using?

It sounds like you might have to update and/or reimage it using the fileconnect resources.

Oh yeah, assuming you're using v5.1, you could enable the network monitoring to check if the SWG is seeing this traffic too

diabolicus23's picture

I'm on 5.1.0.39 fresh installed (last week).