Force Safe Search without SSL decryption

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Force Safe Search without SSL decryption

L3 Networker

We are a K-12 school district.  SSL decryption is not in the cards, at least for the time being.  From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption


If that's correct, is a DNS proxy the way to go, as described here:






Accepted Solutions

If possible, you should make those changes on your internal DNS server - so that any requests for those domains get pointed to the safe-search IP address.  


Your other option(s) are: point your internal DNS servers to use the firewall's DNS proxy address as their upstream DNS server, and/or point your clients DNS entries directly at the firewall's DNS proxy address.  


The reason there aren't any hits to the DNS proxy is that nobody (internal DNS and/or client/endpoint) is pointed at the DNS proxy for DNS resolution.  

View solution in original post



Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.


I don't think DNS Proxy will resolve this challenge for you, at least not based on my own experience.


I hope this helps.

Hi Willian,


I might be wrong, but I don't see us implementing SSL decryption anytime soon, due to a number of factors.   Could you please elaborate a little, when you say that in your experience DNS-Proxy route is not going to resolve this? 


We are not looking for a fool-proof solution at this time, more like at having something in place, rather than nothing.

Did you find user were able to circumvent this easily, or it just plain didn't work?




What are you trying to protect from in your K-12 network?

In short, we are trying to avoid kids getting inappropriate results from google search.  This was sparked from one complaint at an elementary site, even though we are blocking adult categories with URL filtering.


In my mind this is about enforcing a browser setting, and as such should be handled on the device side (GPO, MDM, etc).  Nevertheless, I've being asked if anything could be accomplished with our PA firewall.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!