Endpoint Protection

Hi guys , I am facing some strange behavior , would like to have your expert opinion whether it is some known behavior or it is working  by design.  

I have a firewall policy that is blocking access to *.facebook.com and *.youtube.com . Version of SEPM and clients is 12.1.6 MP3

 

Now when users try to access these blocked sites normally ( without going through the corporate proxy) their access is blocked via SEP firewall

 

But when users access these sites by going through the corporate proxy ( having IP address of the proxy configured in the browsers) then can access these sites and firewall rules never fires.

 

Now I need to know that is this some known behavior that we cannot block access with SEP firewall when access to these URLs is made through the proxy ? 

Thanks 

SEP is not proxy aware so it cannot block the sites but will only block your proxy server instead. You're best off blocking these at at your proxy instead.

So Brian here is the thing , as you know in todays world almost every organization is using a corporate proxy in their envoirement either a transparent or explicit . Now in the case of explicit proxy where the IP address of the proxy server is defined in the users web brwosers i.e IE , Chrome or Firefox so that all the web traffic must go through the proxy servers to the internet.

Now in such envoirements we cannot use SEP Firewall to blocked some certain URLs like facebook or youtube ? There is no way to achieve this in the presense of a proxy since SEP is not proxy aware ? 

 

But the thing is since SEP is doing agent level blocking so it will be looking it at LOCAL/Remote so how come it cant do the blocking ? Regards 

SEP has never been proxy aware. As for why? You'd have to ask Symantec...I'm simply answering your initial question.

Block your sites at the proxy server. That's one role that it plays - content filtering. This the way I've always done it when a proxy server was in the environment along with SEP. What you want to do is not going to work with SEP because of the proxy server and SEP not being proxy aware.

Hi,

You can block web access to client with the help of a firewall policy from Symantec Endpoint Protection Manager 12.1 in a Proxy Environment

Reference: How to block Web access to client with the help of firewall in a Proxy Environment

http://www.symantec.com/docs/TECH188973

Click on attachment to download sample policy.

Thank you very much Chetan for your reply , much appreciated. 

But Chetan is this rule also applicable when there is a requirement to block some specific website but not the whole web access ?

 

I can see that in the Remote machine we are specifying proxy address which will block all web access , but the requirement is to block some specific sites. Can we achieve this with the policy you have specified ?

 

Thanks and Regards 

Please check these links if this is of any help.

 

https://www-secure.symantec.com/connect/forums/website-blocking-custom-ips-signatures

 

https://www-secure.symantec.com/connect/forums/how-config-intrusion-prevention-signature-custom-block-application#comment-4349161

 

https://www-secure.symantec.com/connect/forums/custom-ips-signature-website-blocking

 

https://www-secure.symantec.com/connect/forums/blocking-websites-1

 

    Managing custom intrusion prevention signatures

Thanks for the links Praveen but I believe that Brian is right in this regard that we cannot block some spcific web sites via SEP Firewall when clients are accessing them via a corporate proxy server.

Again, please see my post you oringinally marked as the solution. SEP is NOT proxy aware and will not work. The firewall policy listed above will just block your proxy server which defeats what you want to do....

See what I posted above. That firewall rule isn't going to work, it will just block your proxy which will block everything, including legit sites....

Yes Brian I understand your point. Thanks