How to ban https using WWW Proxy's interception?

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

How to ban https using WWW Proxy's interception?

Postby ahkow » Feb 20 12 8:28 pm

Hi, I am trying WinGate 7 and using WinGate's NAT to access internet. I want to ban certain secure websites (https), but when I intercept port 443 in WWW Proxy Server, all secure websites cannot be accessed.

What should I do? I don't want to force all clients to access internet through proxy. That would mean lots of configurations and programs that does not support proxy won't work.

Thanks.
ahkow
 
Posts: 33
Joined: Jun 13 07 2:27 pm

Re: How to ban https using WWW Proxy's interception?

Postby adrien » Feb 20 12 9:04 pm

Hi

firstly, we actually do recommend you configure clients to use the proxy. There are several ways this can be done without having to go to each client.

You can't intercept port 443 to the HTTP proxy, since the client expects to negotiate TLS/SSL straight away as soon as the connection is made. You could create a new web proxy on port 443 with SSL in the binding policy and intercept port 443 with that, but you'll get certificate warnings on the clients for every site.

So the only real workable solution if you want server name for https surfing is if the clients use a proxy.

Ways to automate:

1. Active Directory Group Policy. You can use AD group policy to force clients to use the proxy.
2. Proxy auto-detect. IE has this on by default. It uses:

WPAD DHCP option (option 252). You can add option 252 (string) in WinGate > Monitoring > DHCP > Definitions.
in WinGate DHCP server, add an option for WPAD under global options value of http://wingate/wpad.dat

If you're using another DHCP server, you can add the option in there instead. Basically the client just needs to resolve to WinGate's IP and make a request for /wpad.dat. WinGate will auto-create this file and serve it back.

Adrien
adrien
Qbik Staff
 
Posts: 4737
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: How to ban https using WWW Proxy's interception?

Postby ahkow » Feb 20 12 10:40 pm

Thanks, I have configured the Active Directory.

1) Just want to confirm, is this the AD policy you meant?
User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> Connection -> Proxy Settings
If that's so, this only works for programs that only uses IE proxy settings.

2) How to force the client to configure proxy for programs that does not use IE's proxy settings?
I notice that there is a "Web: Force proxy" policy. The "Info" box shows that there should be a rejection message asking client to configure proxy. So I set ForceProxy to true and tried using Firefox, but it can still access internet without setting any proxy. What other things that I need to configure?
ahkow
 
Posts: 33
Joined: Jun 13 07 2:27 pm

Re: How to ban https using WWW Proxy's interception?

Postby adrien » Feb 20 12 10:49 pm

Hi

you would need to also enable the policy that implements this forced proxy. It's the sample web request policy.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 4737
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: How to ban https using WWW Proxy's interception?

Postby ahkow » Feb 21 12 3:05 pm

Thanks.

Should I ban all ports in Extended Networking to force everything to go through proxy?

I need to create a WWW Proxy Server to intercept SSL, so that user can see the "Proxy required" page. But I can't tick the "Use SSL" checkbox in the "Dynamic Binding Policy" dialog, is it available only in Enterprise?
ahkow
 
Posts: 33
Joined: Jun 13 07 2:27 pm

Re: How to ban https using WWW Proxy's interception?

Postby adrien » Feb 21 12 3:23 pm

Hi

yes, SSL bindings in proxies is an enterprise feature.
adrien
Qbik Staff
 
Posts: 4737
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate

Who is online

Users browsing this forum: Google [Bot] and 1 guest