- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-12-2017 09:32 AM
We are a K-12 school district. SSL decryption is not in the cards, at least for the time being. From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption
If that's correct, is a DNS proxy the way to go, as described here:
https://support.google.com/websearch/answer/186669?hl=en
Thanks
06-12-2017 03:34 PM
Couldn't one block the "search" category though, and allow google as an exception?
I agree this is not the ideal way to control this. We are not looking for ideal, at this point.
06-12-2017 03:38 PM - edited 06-12-2017 03:38 PM
Personally I wonder about the extra load imposed by SSL decryption, at least on our PA-500 devices (with memory upgrade). They are already soo slow, I'd hate to see them becoming even slower, if that is possible.
06-12-2017 03:38 PM
> Couldn't one block the "search" category though, and allow google as an exception?
Probably not, because like Google the services are much more than just search. You could cover many examples, but someone logged into live.com to view their hotmail account would likely be able to do a bing search from inside their email. The user isn't on a search site, and they didn't make a new connection to bing.
I'd say start with the DNS method you linked in the first post on this thread, and push for decryption as a more full solution later.
Cheers
06-12-2017 03:38 PM - edited 06-12-2017 03:40 PM
so technically SSL decryption is not required to turn on SAFE SEARCH
that being said if the browser returns search results(most do) inside ssl then yes you need a decryption policy
otherwise you can enable safe search directly on the PC....GPO
meanwhile there are some PAN alternatives
another thing Ive done for K-12 is blacklist everything and then only whitelist approved sites
if google search is approved then you need to find a control for that site
06-13-2017 02:34 PM
I've setup a DNS Proxy at one of the primary sites. I created a bunch of static entries for google.ca, *.google.ca, etc pointing to 216.239.38.120. As interface I assigned the proxy to the LAN interface.
If I test on a windows client, after running ipconfig /flushdns, client still gets an answer from one of our internal DNS server (at the DC), not from the local PA proxy.
show dns-proxy statistics all confirmed that the proxy received zero requests. I think I'm missing something else. Do I need to setup a proxy rule? I thought only a DNS proxy and some static entries were needed for this to work.
06-14-2017 02:22 PM
If possible, you should make those changes on your internal DNS server - so that any requests for those domains get pointed to the safe-search IP address.
Your other option(s) are: point your internal DNS servers to use the firewall's DNS proxy address as their upstream DNS server, and/or point your clients DNS entries directly at the firewall's DNS proxy address.
The reason there aren't any hits to the DNS proxy is that nobody (internal DNS and/or client/endpoint) is pointed at the DNS proxy for DNS resolution.
06-14-2017 03:45 PM
Thank you, that worked. Don't know why I was expecting it to work without changing the client's DNS settings... 🙂 I'm checking if boss is happy with safe search for all, before touching our DNS servers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!