Good Day Guys and Gals
I need ideas on the following issue please! I have a block on all Social networking sites for the company. The Policy works great when the user tries to access http://plus.google.com, but when they use SSL (https://plus.google.com) the user gains full access to the site. Same goes for all other Social networking sites! How do we stop them on SSL?
Thanx in advance!
The problem with URL filtering and HTTPS traffic is that with HTTPS you cannot actually see the GET message which URL filtering normally looks at because it is encrypted. So URL filtering can only apply to the URL in the certificate. If that certificate does not have "plus.google.com" then URL filtering will not work on that. It seems https://plus.google.com certificate was issued to "*.google.com". You can see a server certificate in IE by going to File > Properties and then click on Certificates button.
Likely the only way you will be able to reliably identify social media sites would be to use SSL proxy decryption as others have suggested.
You define for which zones and ipaddresses and/or users along with categories you wish to enable ssl decryption for.
In you case perhaps something like:
categories: (select all categories, dont know if "any" exists yet).
This way as soon as a ssl handshake is seen the PA will intercept depending on if you set this up as ssl-proxy (common when intercepting outgoing clients) or ssl inspection (common when intercepting incoming clients towards one of your servers which you have the private key for).
Previously there have been issues with 2000-series when there were to many concurrent ssl decryptions (because at 2000-series and below the mgmtplane is involved into creating the faked cert on the fly). I dont know if this has been fixed yet (I think it is).
Also note in order to make this transparent for the clients you need to import the CA cert (well the public part of what you imported into your PA device) as a trusted CA in your clients (can be done through group policy). Also you can use a second cert (and not import this one in your clients) which PA can use for ssl sessions that couldnt be verified (for example if the cert from the server at internet is expired, revoked or such).
Usually, Google services are fully compatible with SSL decryption.
If you want to activate it only for Google, create SSL Decryption rules only for the following ranges:
I found that if you define an application in the rules that also does URL filtering it needs to decrypt the packet to decipher the application. One way is to use http and https ports.
For example your rule to block a website might look like:
profile: URL filtering
service: service-http, service-https
profile: URL filtering
Just was one thing I came across that sounds close. The other option is of course adding certificates.
Sounds odd... when you use url filter without decryption then the url filter can only look at the CN part of the certs passing through. This will also mean that the identified application will most likely just be "ssl" (and "web-browsing" for the cleartext stuff).
If you enable decryption then the real appid (lets say youtube or whatever) will be identified and the full url will be logged (and handled by the filters) aswell.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!