- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-23-2016 02:16 AM
I recently implemented Google Safe Search + SSL Decryption for a small test group and it all works as expected/described.
Thanks for the excellent documentation on this!
The only odd thing I noticed is that I seem to have lost the Google Dynamic Search option.
The Google Dynamic Search is when Google automatically starts suggesting what you might be looking for.
I have been trying to figure out why this is happening.
I have implemented the block page script provided by PaloAlto to automatically enable Safe Search instead of blocking the page.
https://www.paloaltonetworks.com/documentation/scripts/transparent-safe-search.html
The block page scripts makes sure the Safe Search is transparant for the user.
This works. You briefly see the block page and in a split second, you are redirected to the "filtered" search results.
The odd thing is, that safe search does not seem to be turned on at all. Just for the specific search itself.
When I manually turn on Safe Search, the dynamic search functionality is restored.
Is there anything I can do to enable dynamic search without having to inform the users that they manually have to enable "safesearch" in the Google's settings page?
Thanks for any thoughts you might have.
Remko
12-30-2016 05:09 AM
I have the same issue.
The workaround I came up with is to use Google's SafeSearch Virtual IP address (VIP)
This script will bulk insert this records into a Windows DNS server.
I also added some zones for Youtube for Strict Restricted YouTube access and for Bing SafeSearch
################################################################################## # # Script name: SafeSearchDNS.ps1 # ################################################################################## param ([string]$Server, [switch]$remove, [switch]$help) $global:DNSZones = $null function createZone ([string]$Zone, [string]$DName) { if ($global:DNSZones.ZoneName -notcontains $Zone) { write-host "Create DNS Zone $Zone" Add-DnsServerPrimaryZone -ComputerName $Server -Name $Zone -ReplicationScope "Domain" Add-DnsServerResourceRecord -ComputerName $Server -Name "." -ZoneName $Zone -DName -DomainNameAlias $DName } } function removeZone ([string]$Zone) { if ($global:DNSZones.ZoneName -contains $Zone) { write-host "Remove DNS Zone $Zone" Remove-DnsServerZone -ComputerName $Server $Zone -force -confirm:$false } } if (($Server) -AND (-Not $remove)) { $global:DNSZones = @(Get-DnsServerZone -ComputerName $Server) createZone "www.bing.com" "strict.bing.com" createZone "www.youtube.com" "restrict.youtube.com" createZone "m.youtube.com" "restrict.youtube.com" createZone "youtubei.googleapis.com" "restrict.youtube.com" createZone "youtube.googleapis.com" "restrict.youtube.com" createZone "www.youtube-nocookie.com" "restrict.youtube.com" createZone "www.google.com" "forcesafesearch.google.com" createZone "www.google.ad" "forcesafesearch.google.com" createZone "www.google.ae" "forcesafesearch.google.com" createZone "www.google.com.af" "forcesafesearch.google.com" createZone "www.google.com.ag" "forcesafesearch.google.com" createZone "www.google.com.ai" "forcesafesearch.google.com" createZone "www.google.al" "forcesafesearch.google.com" createZone "www.google.am" "forcesafesearch.google.com" createZone "www.google.co.ao" "forcesafesearch.google.com" createZone "www.google.com.ar" "forcesafesearch.google.com" createZone "www.google.as" "forcesafesearch.google.com" createZone "www.google.at" "forcesafesearch.google.com" createZone "www.google.com.au" "forcesafesearch.google.com" createZone "www.google.az" "forcesafesearch.google.com" createZone "www.google.ba" "forcesafesearch.google.com" createZone "www.google.com.bd" "forcesafesearch.google.com" createZone "www.google.be" "forcesafesearch.google.com" createZone "www.google.bf" "forcesafesearch.google.com" createZone "www.google.bg" "forcesafesearch.google.com" createZone "www.google.com.bh" "forcesafesearch.google.com" createZone "www.google.bi" "forcesafesearch.google.com" createZone "www.google.bj" "forcesafesearch.google.com" createZone "www.google.com.bn" "forcesafesearch.google.com" createZone "www.google.com.bo" "forcesafesearch.google.com" createZone "www.google.com.br" "forcesafesearch.google.com" createZone "www.google.bs" "forcesafesearch.google.com" createZone "www.google.bt" "forcesafesearch.google.com" createZone "www.google.co.bw" "forcesafesearch.google.com" createZone "www.google.by" "forcesafesearch.google.com" createZone "www.google.com.bz" "forcesafesearch.google.com" createZone "www.google.ca" "forcesafesearch.google.com" createZone "www.google.cd" "forcesafesearch.google.com" createZone "www.google.cf" "forcesafesearch.google.com" createZone "www.google.cg" "forcesafesearch.google.com" createZone "www.google.ch" "forcesafesearch.google.com" createZone "www.google.ci" "forcesafesearch.google.com" createZone "www.google.co.ck" "forcesafesearch.google.com" createZone "www.google.cl" "forcesafesearch.google.com" createZone "www.google.cm" "forcesafesearch.google.com" createZone "www.google.cn" "forcesafesearch.google.com" createZone "www.google.com.co" "forcesafesearch.google.com" createZone "www.google.co.cr" "forcesafesearch.google.com" createZone "www.google.com.cu" "forcesafesearch.google.com" createZone "www.google.cv" "forcesafesearch.google.com" createZone "www.google.com.cy" "forcesafesearch.google.com" createZone "www.google.cz" "forcesafesearch.google.com" createZone "www.google.de" "forcesafesearch.google.com" createZone "www.google.dj" "forcesafesearch.google.com" createZone "www.google.dk" "forcesafesearch.google.com" createZone "www.google.dm" "forcesafesearch.google.com" createZone "www.google.com.do" "forcesafesearch.google.com" createZone "www.google.dz" "forcesafesearch.google.com" createZone "www.google.com.ec" "forcesafesearch.google.com" createZone "www.google.ee" "forcesafesearch.google.com" createZone "www.google.com.eg" "forcesafesearch.google.com" createZone "www.google.es" "forcesafesearch.google.com" createZone "www.google.com.et" "forcesafesearch.google.com" createZone "www.google.fi" "forcesafesearch.google.com" createZone "www.google.com.fj" "forcesafesearch.google.com" createZone "www.google.fm" "forcesafesearch.google.com" createZone "www.google.fr" "forcesafesearch.google.com" createZone "www.google.ga" "forcesafesearch.google.com" createZone "www.google.ge" "forcesafesearch.google.com" createZone "www.google.gg" "forcesafesearch.google.com" createZone "www.google.com.gh" "forcesafesearch.google.com" createZone "www.google.com.gi" "forcesafesearch.google.com" createZone "www.google.gl" "forcesafesearch.google.com" createZone "www.google.gm" "forcesafesearch.google.com" createZone "www.google.gp" "forcesafesearch.google.com" createZone "www.google.gr" "forcesafesearch.google.com" createZone "www.google.com.gt" "forcesafesearch.google.com" createZone "www.google.gy" "forcesafesearch.google.com" createZone "www.google.com.hk" "forcesafesearch.google.com" createZone "www.google.hn" "forcesafesearch.google.com" createZone "www.google.hr" "forcesafesearch.google.com" createZone "www.google.ht" "forcesafesearch.google.com" createZone "www.google.hu" "forcesafesearch.google.com" createZone "www.google.co.id" "forcesafesearch.google.com" createZone "www.google.ie" "forcesafesearch.google.com" createZone "www.google.co.il" "forcesafesearch.google.com" createZone "www.google.im" "forcesafesearch.google.com" createZone "www.google.co.in" "forcesafesearch.google.com" createZone "www.google.iq" "forcesafesearch.google.com" createZone "www.google.is" "forcesafesearch.google.com" createZone "www.google.it" "forcesafesearch.google.com" createZone "www.google.je" "forcesafesearch.google.com" createZone "www.google.com.jm" "forcesafesearch.google.com" createZone "www.google.jo" "forcesafesearch.google.com" createZone "www.google.co.jp" "forcesafesearch.google.com" createZone "www.google.co.ke" "forcesafesearch.google.com" createZone "www.google.com.kh" "forcesafesearch.google.com" createZone "www.google.ki" "forcesafesearch.google.com" createZone "www.google.kg" "forcesafesearch.google.com" createZone "www.google.co.kr" "forcesafesearch.google.com" createZone "www.google.com.kw" "forcesafesearch.google.com" createZone "www.google.kz" "forcesafesearch.google.com" createZone "www.google.la" "forcesafesearch.google.com" createZone "www.google.com.lb" "forcesafesearch.google.com" createZone "www.google.li" "forcesafesearch.google.com" createZone "www.google.lk" "forcesafesearch.google.com" createZone "www.google.co.ls" "forcesafesearch.google.com" createZone "www.google.lt" "forcesafesearch.google.com" createZone "www.google.lu" "forcesafesearch.google.com" createZone "www.google.lv" "forcesafesearch.google.com" createZone "www.google.com.ly" "forcesafesearch.google.com" createZone "www.google.co.ma" "forcesafesearch.google.com" createZone "www.google.md" "forcesafesearch.google.com" createZone "www.google.me" "forcesafesearch.google.com" createZone "www.google.mg" "forcesafesearch.google.com" createZone "www.google.mk" "forcesafesearch.google.com" createZone "www.google.ml" "forcesafesearch.google.com" createZone "www.google.com.mm" "forcesafesearch.google.com" createZone "www.google.mn" "forcesafesearch.google.com" createZone "www.google.ms" "forcesafesearch.google.com" createZone "www.google.com.mt" "forcesafesearch.google.com" createZone "www.google.mu" "forcesafesearch.google.com" createZone "www.google.mv" "forcesafesearch.google.com" createZone "www.google.mw" "forcesafesearch.google.com" createZone "www.google.com.mx" "forcesafesearch.google.com" createZone "www.google.com.my" "forcesafesearch.google.com" createZone "www.google.co.mz" "forcesafesearch.google.com" createZone "www.google.com.na" "forcesafesearch.google.com" createZone "www.google.com.nf" "forcesafesearch.google.com" createZone "www.google.com.ng" "forcesafesearch.google.com" createZone "www.google.com.ni" "forcesafesearch.google.com" createZone "www.google.ne" "forcesafesearch.google.com" createZone "www.google.nl" "forcesafesearch.google.com" createZone "www.google.no" "forcesafesearch.google.com" createZone "www.google.com.np" "forcesafesearch.google.com" createZone "www.google.nr" "forcesafesearch.google.com" createZone "www.google.nu" "forcesafesearch.google.com" createZone "www.google.co.nz" "forcesafesearch.google.com" createZone "www.google.com.om" "forcesafesearch.google.com" createZone "www.google.com.pa" "forcesafesearch.google.com" createZone "www.google.com.pe" "forcesafesearch.google.com" createZone "www.google.com.pg" "forcesafesearch.google.com" createZone "www.google.com.ph" "forcesafesearch.google.com" createZone "www.google.com.pk" "forcesafesearch.google.com" createZone "www.google.pl" "forcesafesearch.google.com" createZone "www.google.pn" "forcesafesearch.google.com" createZone "www.google.com.pr" "forcesafesearch.google.com" createZone "www.google.ps" "forcesafesearch.google.com" createZone "www.google.pt" "forcesafesearch.google.com" createZone "www.google.com.py" "forcesafesearch.google.com" createZone "www.google.com.qa" "forcesafesearch.google.com" createZone "www.google.ro" "forcesafesearch.google.com" createZone "www.google.ru" "forcesafesearch.google.com" createZone "www.google.rw" "forcesafesearch.google.com" createZone "www.google.com.sa" "forcesafesearch.google.com" createZone "www.google.com.sb" "forcesafesearch.google.com" createZone "www.google.sc" "forcesafesearch.google.com" createZone "www.google.se" "forcesafesearch.google.com" createZone "www.google.com.sg" "forcesafesearch.google.com" createZone "www.google.sh" "forcesafesearch.google.com" createZone "www.google.si" "forcesafesearch.google.com" createZone "www.google.sk" "forcesafesearch.google.com" createZone "www.google.com.sl" "forcesafesearch.google.com" createZone "www.google.sn" "forcesafesearch.google.com" createZone "www.google.so" "forcesafesearch.google.com" createZone "www.google.sm" "forcesafesearch.google.com" createZone "www.google.sr" "forcesafesearch.google.com" createZone "www.google.st" "forcesafesearch.google.com" createZone "www.google.com.sv" "forcesafesearch.google.com" createZone "www.google.td" "forcesafesearch.google.com" createZone "www.google.tg" "forcesafesearch.google.com" createZone "www.google.co.th" "forcesafesearch.google.com" createZone "www.google.com.tj" "forcesafesearch.google.com" createZone "www.google.tk" "forcesafesearch.google.com" createZone "www.google.tl" "forcesafesearch.google.com" createZone "www.google.tm" "forcesafesearch.google.com" createZone "www.google.tn" "forcesafesearch.google.com" createZone "www.google.to" "forcesafesearch.google.com" createZone "www.google.com.tr" "forcesafesearch.google.com" createZone "www.google.tt" "forcesafesearch.google.com" createZone "www.google.com.tw" "forcesafesearch.google.com" createZone "www.google.co.tz" "forcesafesearch.google.com" createZone "www.google.com.ua" "forcesafesearch.google.com" createZone "www.google.co.ug" "forcesafesearch.google.com" createZone "www.google.co.uk" "forcesafesearch.google.com" createZone "www.google.com.uy" "forcesafesearch.google.com" createZone "www.google.co.uz" "forcesafesearch.google.com" createZone "www.google.com.vc" "forcesafesearch.google.com" createZone "www.google.co.ve" "forcesafesearch.google.com" createZone "www.google.vg" "forcesafesearch.google.com" createZone "www.google.co.vi" "forcesafesearch.google.com" createZone "www.google.com.vn" "forcesafesearch.google.com" createZone "www.google.vu" "forcesafesearch.google.com" createZone "www.google.ws" "forcesafesearch.google.com" createZone "www.google.rs" "forcesafesearch.google.com" createZone "www.google.co.za" "forcesafesearch.google.com" createZone "www.google.co.zm" "forcesafesearch.google.com" createZone "www.google.co.zw" "forcesafesearch.google.com" createZone "www.google.cat" "forcesafesearch.google.com" } if (($Server) -AND ($remove)) { $global:DNSZones = @(Get-DnsServerZone -ComputerName $Server) removeZone "www.bing.com" removeZone "www.youtube.com" removeZone "m.youtube.com" removeZone "youtubei.googleapis.com" removeZone "youtube.googleapis.com" removeZone "www.youtube-nocookie.com" removeZone "www.google.com" removeZone "www.google.ad" removeZone "www.google.ae" removeZone "www.google.com.af" removeZone "www.google.com.ag" removeZone "www.google.com.ai" removeZone "www.google.al" removeZone "www.google.am" removeZone "www.google.co.ao" removeZone "www.google.com.ar" removeZone "www.google.as" removeZone "www.google.at" removeZone "www.google.com.au" removeZone "www.google.az" removeZone "www.google.ba" removeZone "www.google.com.bd" removeZone "www.google.be" removeZone "www.google.bf" removeZone "www.google.bg" removeZone "www.google.com.bh" removeZone "www.google.bi" removeZone "www.google.bj" removeZone "www.google.com.bn" removeZone "www.google.com.bo" removeZone "www.google.com.br" removeZone "www.google.bs" removeZone "www.google.bt" removeZone "www.google.co.bw" removeZone "www.google.by" removeZone "www.google.com.bz" removeZone "www.google.ca" removeZone "www.google.cd" removeZone "www.google.cf" removeZone "www.google.cg" removeZone "www.google.ch" removeZone "www.google.ci" removeZone "www.google.co.ck" removeZone "www.google.cl" removeZone "www.google.cm" removeZone "www.google.cn" removeZone "www.google.com.co" removeZone "www.google.co.cr" removeZone "www.google.com.cu" removeZone "www.google.cv" removeZone "www.google.com.cy" removeZone "www.google.cz" removeZone "www.google.de" removeZone "www.google.dj" removeZone "www.google.dk" removeZone "www.google.dm" removeZone "www.google.com.do" removeZone "www.google.dz" removeZone "www.google.com.ec" removeZone "www.google.ee" removeZone "www.google.com.eg" removeZone "www.google.es" removeZone "www.google.com.et" removeZone "www.google.fi" removeZone "www.google.com.fj" removeZone "www.google.fm" removeZone "www.google.fr" removeZone "www.google.ga" removeZone "www.google.ge" removeZone "www.google.gg" removeZone "www.google.com.gh" removeZone "www.google.com.gi" removeZone "www.google.gl" removeZone "www.google.gm" removeZone "www.google.gp" removeZone "www.google.gr" removeZone "www.google.com.gt" removeZone "www.google.gy" removeZone "www.google.com.hk" removeZone "www.google.hn" removeZone "www.google.hr" removeZone "www.google.ht" removeZone "www.google.hu" removeZone "www.google.co.id" removeZone "www.google.ie" removeZone "www.google.co.il" removeZone "www.google.im" removeZone "www.google.co.in" removeZone "www.google.iq" removeZone "www.google.is" removeZone "www.google.it" removeZone "www.google.je" removeZone "www.google.com.jm" removeZone "www.google.jo" removeZone "www.google.co.jp" removeZone "www.google.co.ke" removeZone "www.google.com.kh" removeZone "www.google.ki" removeZone "www.google.kg" removeZone "www.google.co.kr" removeZone "www.google.com.kw" removeZone "www.google.kz" removeZone "www.google.la" removeZone "www.google.com.lb" removeZone "www.google.li" removeZone "www.google.lk" removeZone "www.google.co.ls" removeZone "www.google.lt" removeZone "www.google.lu" removeZone "www.google.lv" removeZone "www.google.com.ly" removeZone "www.google.co.ma" removeZone "www.google.md" removeZone "www.google.me" removeZone "www.google.mg" removeZone "www.google.mk" removeZone "www.google.ml" removeZone "www.google.com.mm" removeZone "www.google.mn" removeZone "www.google.ms" removeZone "www.google.com.mt" removeZone "www.google.mu" removeZone "www.google.mv" removeZone "www.google.mw" removeZone "www.google.com.mx" removeZone "www.google.com.my" removeZone "www.google.co.mz" removeZone "www.google.com.na" removeZone "www.google.com.nf" removeZone "www.google.com.ng" removeZone "www.google.com.ni" removeZone "www.google.ne" removeZone "www.google.nl" removeZone "www.google.no" removeZone "www.google.com.np" removeZone "www.google.nr" removeZone "www.google.nu" removeZone "www.google.co.nz" removeZone "www.google.com.om" removeZone "www.google.com.pa" removeZone "www.google.com.pe" removeZone "www.google.com.pg" removeZone "www.google.com.ph" removeZone "www.google.com.pk" removeZone "www.google.pl" removeZone "www.google.pn" removeZone "www.google.com.pr" removeZone "www.google.ps" removeZone "www.google.pt" removeZone "www.google.com.py" removeZone "www.google.com.qa" removeZone "www.google.ro" removeZone "www.google.ru" removeZone "www.google.rw" removeZone "www.google.com.sa" removeZone "www.google.com.sb" removeZone "www.google.sc" removeZone "www.google.se" removeZone "www.google.com.sg" removeZone "www.google.sh" removeZone "www.google.si" removeZone "www.google.sk" removeZone "www.google.com.sl" removeZone "www.google.sn" removeZone "www.google.so" removeZone "www.google.sm" removeZone "www.google.sr" removeZone "www.google.st" removeZone "www.google.com.sv" removeZone "www.google.td" removeZone "www.google.tg" removeZone "www.google.co.th" removeZone "www.google.com.tj" removeZone "www.google.tk" removeZone "www.google.tl" removeZone "www.google.tm" removeZone "www.google.tn" removeZone "www.google.to" removeZone "www.google.com.tr" removeZone "www.google.tt" removeZone "www.google.com.tw" removeZone "www.google.co.tz" removeZone "www.google.com.ua" removeZone "www.google.co.ug" removeZone "www.google.co.uk" removeZone "www.google.com.uy" removeZone "www.google.co.uz" removeZone "www.google.com.vc" removeZone "www.google.co.ve" removeZone "www.google.vg" removeZone "www.google.co.vi" removeZone "www.google.com.vn" removeZone "www.google.vu" removeZone "www.google.ws" removeZone "www.google.rs" removeZone "www.google.co.za" removeZone "www.google.co.zm" removeZone "www.google.co.zw" removeZone "www.google.cat" } if (($help) -OR ((-Not $help) -AND (-Not $remove) -AND (-Not $Server))) { @" NAME: SafeSearchDNS.ps1 Creates DNS zones to force SafeSearch for Google, Youtube and Bing. Should be run on a 2012 server, with the DNS RSAT installed. PARAMETERS: -Server DNS Server to create the zones (Required) -remove Removes the created zones by this script (Optional) -help Prints the HelpFile (Optional) SYNTAX: ./SafeSearchDNS.ps1 -Server DNSServerFQDN This will generate a bunch of DNS zones with some DNames ./SafeSearchDNS.ps1 -Server DNSServerFQDN -remove This will remove the DNS zones generated by this script "@ }
As a bonus: you could redirect all other search engines to google. To do this create an URL filter to block all pages within the "search-engines" category, add google to the allow list, and create a custom response page for "URL Filtering and Category Match Block Page", which redirects the use to google.
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta name="viewport" content="initial-scale=1.0"> <script> function checkSearchEngine() { var cat = "<category/>"; switch(cat) { case 'search-engines': window.location.replace('http://www.google.com'); break; } } </script> </head> <body onload="checkSearchEngine()"> <!-- You're custom code for all other categories --> </body> </html>
I still think it’s a pity that the transparent safe search enforcement breaks down the google dynamic search. The “Allow List” in the URL filtering profile seems to be ignored when the page is blocked by the “Safe Search Enforcement” checkbox.
12-30-2016 05:35 AM
Wow, thanks Sjoerd... I will give this a try in our lab environment. This tip is very much appreciated!
12-30-2016 06:48 AM
I just ran the script in my lab environment.
The script creates all the Google DNS zones without problems. Also the removal of the zones works as expected.
Did you encounter any other issues implementing this? Did you see any Google services beeing affected?
12-30-2016 07:02 AM
To be honest: I just implemented this in my own test environment. Haven’t found any issues myself. I will implement this next week, but most users are still on holiday at that moment.
If I hear about any issues, I’ll let you know!
01-02-2017 01:32 AM - edited 01-02-2017 01:33 AM
Best Wishes for 2017!!
The odd thing is that it worked flawless in my lab environment.
As it is still pretty quiet in the office, I decided to try it in production as well.
For some reason, I was not able to reach any Google services afterwards.
The difference between the lab environment and production is that my computer is in the test group for SSL decryption, and the machine in the lab environment did not have SSL decryption turned on.
I am still trying to figure out what happened.
Will do some more testings on this.
01-02-2017 02:29 AM
OK, I can confirm I have the same problem in my testing environment. After disabling SSL Decryprion some google service's got broken.
I disabled the redirect to google page to force the users to google, after which its start working again (but of course users are able to use other searchengines at this point).
I’ll try to look in to this.
01-02-2017 02:33 AM
I think I found the culprit.
In the Palo Alto, the safe-search option was turned on. After turning this off, and implementing the DNS redirects, it seems to be working.
Many thanks 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!