Hi,
I have read it is a "not easy to solve" issue of blocking facebook and other social networking sites, that redirect their standard http site to a https (port 443) site. I have tried using patterns and URL's in Wingate, but it seems that SSL sites are not intercepted by the web proxy service. I even tried intercepting port 443, but with no success. I know some people just ban the service provider´s networks, but I believe that it's not a practical solution moreover if you want to allow access during certain times of the day. So my question is: Are there other easy to administer methods that could allow blocking those websites based on a schedule ?
Thanks
BLOCKING FACEBOOK VIA HTTPS
Moderator: Qbik Staff
2 posts
• Page 1 of 1
BLOCKING FACEBOOK VIA HTTPS
by agubaira » Oct 22 13 3:19 am
- agubaira
- Posts: 7
- Joined: Oct 19 13 10:16 am
Re: BLOCKING FACEBOOK VIA HTTPS
by adrien » Oct 22 13 10:50 am
Hi
if you need to block https with the web proxy, then you need to have the computers configured to use the proxy. Intercepting port 443 to the proxy doesn't work for blocking or authentication.
There's not really any way around this sorry. If the client is not configured to use a proxy, it makes a TCP connection then immediately talks SSL/TLS protocol. This cannot be intercepted / broken into without co-operation from the client (installation of signing certificate). When using a proxy, the client makes a TCP connection to the proxy, then uses HTTP to open a tunnel to the server. This can be rejected / authenticated with HTTP. After the tunnel is created, only then does the client talk SSL/TLS to the server.
Once you have configured the clients to use the proxy, then you can block by site / time of day etc.
If you're on an active directory, you can use group policy to assign a proxy.
Alternatively there is WPAD, which can be used by clients to discover a proxy. This is supported in WinGate, using DHCP and/or DNS. If you're using other DHCP or DNS services, you can still use WPAD as well.
Regards
Adrien
if you need to block https with the web proxy, then you need to have the computers configured to use the proxy. Intercepting port 443 to the proxy doesn't work for blocking or authentication.
There's not really any way around this sorry. If the client is not configured to use a proxy, it makes a TCP connection then immediately talks SSL/TLS protocol. This cannot be intercepted / broken into without co-operation from the client (installation of signing certificate). When using a proxy, the client makes a TCP connection to the proxy, then uses HTTP to open a tunnel to the server. This can be rejected / authenticated with HTTP. After the tunnel is created, only then does the client talk SSL/TLS to the server.
Once you have configured the clients to use the proxy, then you can block by site / time of day etc.
If you're on an active directory, you can use group policy to assign a proxy.
Alternatively there is WPAD, which can be used by clients to discover a proxy. This is supported in WinGate, using DHCP and/or DNS. If you're using other DHCP or DNS services, you can still use WPAD as well.
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 8 guests