We are a K-12 school district. SSL decryption is not in the cards, at least for the time being. From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption
If that's correct, is a DNS proxy the way to go, as described here:
If possible, you should make those changes on your internal DNS server - so that any requests for those domains get pointed to the safe-search IP address.
Your other option(s) are: point your internal DNS servers to use the firewall's DNS proxy address as their upstream DNS server, and/or point your clients DNS entries directly at the firewall's DNS proxy address.
The reason there aren't any hits to the DNS proxy is that nobody (internal DNS and/or client/endpoint) is pointed at the DNS proxy for DNS resolution.
Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
I don't think DNS Proxy will resolve this challenge for you, at least not based on my own experience.
I hope this helps.
I might be wrong, but I don't see us implementing SSL decryption anytime soon, due to a number of factors. Could you please elaborate a little, when you say that in your experience DNS-Proxy route is not going to resolve this?
We are not looking for a fool-proof solution at this time, more like at having something in place, rather than nothing.
Did you find user were able to circumvent this easily, or it just plain didn't work?
In short, we are trying to avoid kids getting inappropriate results from google search. This was sparked from one complaint at an elementary site, even though we are blocking adult categories with URL filtering.
In my mind this is about enforcing a browser setting, and as such should be handled on the device side (GPO, MDM, etc). Nevertheless, I've being asked if anything could be accomplished with our PA firewall.
We are already doing URL filtering for the usual inappropriate categories. Somehow this kid managed to get explicit pics on the browser, supposedly by using search function. Unfortunately this was reported as an anecdote, without any technical details. I took at face value.
If I click on the link you provided I get:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!