Many organizations face issues wherein users access a 3rd party application such as Freegate or Ultrasurf to circumvent the proxy and access Web content that should be filtered. In many cases, these applications don't require installation on the user's workstation and will even run from a USB device.
Use the instructions below to stop users from bypassing the proxy in an explicit proxy deployment:
1. Network firewall
- Configure edge firewall or routing to device to only allow the proxy to send traffic to the Internet using the allowed ports (80, 443, 21 and 53).
If you do not configure the firewall or routing device to direct the traffic to the proxy, users can bypass the proxy and reach the Internet.
2. Visual policy
- Configure a rule in the Visual Policy Manager (VPM) to use your content filter configuration to deny access to sites we have categorized as 'Proxy Avoidance'. It's prudent to note that the action in this rule should be 'force deny', so as to prevent later rules from overriding the deny decision.
3. Local policy
- We have found that most of the sites being accessed by ultrasurf and Freegate are by IP, rather than by DNS name and they're done over SSL. In actual fact, SSL hosts that are genuine in nature will always use a hostname, as this is required to validate the SSL certificate the site uses. HTTPS sites using only an IP address, (eg, https://220.127.116.11) are technical invalid, and as such, we can deny them without the need to employ full HTTPS filtering on the proxy.
The following local policy rule, (installed from the configuration tab > policy > policy files > install local file from > text editor > install) will resolve the above concern:
http.method=CONNECT url.host.is_numeric=yes deny
Implementing the three-step solution discussed above prevented a test workstation from being able to use either Ultrasurf or Freegate to reach Internet content.
If your proxy is deployed transparently, you must configure SSL interception and then create a rule to block the proxy avoidance category. The local policy rule then will appear as follows:
url.scheme=https url.host.is_numeric=yes deny