Blocking Facebook Chat

book

Article ID: 167759

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You want to allow all Facebook functionality except for Facebook Chat.

Resolution

Because Facebook connects over port 443 (HTTPS) by default, you must first enable SSL interception, and then deny Facebook Chat:
  1. Create an SSL interception rule:
  2. Create a web access rule OR use BlueCoat Intelligence Services (BCIS)

 

Create an SSL Interception Rule (Explicit Deployment )

Use this method to limit SSL interception to Facebook traffic if you have an explicit proxy deployment (user traffic is destined for the ProxySG appliance IP address, for example, configured through explicit settings in the browser or a PAC file). 
  1. Launch the Visual Policy Manager (VPM). Select Configuration > Policy > Visual Policy Manager > Launch.
  2. Add an SSL Intercept Layer. Name the layer, for example, "SSLInterceptionFacebookExplicit".
  3. Create a new URL object in the list:
    • Right-click Destination and click Set.
    • Select New > Request URL.
    • In the Simple Match field, enter "facebook.com".
    • Click Add to add the URL to the list and click Close.
      The object you just created should be highlighted in the list; otherwise, select it. Then, click OK to add the object to the rule.
  4. Right-click Action and click Set.
  5. Select New > Enable HTTPS Interception and then name the Action, for example "HTTPsInterceptionFacebook".
  6. Select Issuer Keyring and select the SSL keyring that the appliance should use to terminate the incoming SSL connection from the client.
    In this example we will use the DEFAULT keyring. (The certificate in this keyring will be issued to the client instead of the website's original certificate. To prevent errors from displaying in the browser, install this certificate in the browser.
  7. Click OK to close the Edit Enable HTTPS Interception object.
    The object you just created should be highlighted in the list; otherwise, select it. Then, click OK to add the object to the rule.
  8. Specify the following for the SSL Intercept Layer:
    • Source = any
    • Destination = Destination: facebook.com (contains)
    • Service = any
    • Time = any
    • Action = HTTPsInterceptionFacebookExplicit

This rule generates the following CPL: 

;; Tab: [SSLInterceptionFacebookExplicit]

url.domain="facebook.com" ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default) ; Rule 1 

Create an SSL Interception Rule (Transparent Deployment)

Use this method if you have a transparent proxy deployment (the ProxySG appliance intercepts the traffic from the client's browser going over port 443 as it travels on the path out to the network).

In this deployment, you cannot use the facebook.com URL as a method of controlling SSL interception. Because the packets are already encrypted by the client, and destined for the server's IP address (not the appliance IP address) the appliance does not know traffic on port 443 is destined for Facebook. Using IP address ranges is not suitable because they can change; thus, using the Subject Name of the certificate that the web server issues is the most accurate way to control SSL interception.

  1. Launch the Visual Policy Manager: Select Configuration > Policy > Visual Policy Manager > Launch.
  2. Add an SSL Intercept Layer. Name the layer, for example, "SSLInterceptionFacebookTransparent".
  3. Create a new Server Certificate object  in the list:
    • Right-click Destination and click Set.
    • Select New > Server Certificate .
    • Select Subject and enter "facebook.com".
    • Change the value from Exact Match to Contains in the drop-down list next to this field and click Close.
    • The object you just created should be highlighted in the list; otherwise, select it. Then, click OK to add the object to the rule.
  4. Right-click Action and click Set.
  5. Select NEW > Enable HTTPS Interception and then name the Action, for example "HTTPsInterceptionFacebook".
  6. Select Issuer Keyring and select the SSL keyring that the appliance should use to terminate the incoming SSL connection from the client.
    In this example we will use the DEFAULT keyring. (The certificate in this keyring will be issued to the client instead of the website's original certificate. To prevent errors from displaying in the browser, install this certificate in the browser.
  7. Click OK to close the Edit Enable HTTPS Interception object.
    The object you just created should be highlighted in the list; otherwise, select it. Then, click OK to add the object to the rule.
  8. Specify the following for the SSL Intercept Layer:
    • Source = any
    • Destination = Server Cert: facebook.com (Contains)
    • Service = any
    • Time = any
    • Action = HTTPsInterceptionFacebook

This rule generates the following CPL:

;; Tab: [SSLInterceptionFacebookTransparent]

server.certificate.subject.substring="facebook.com" ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default) ; Rule 1

 
Create a Web Access Rule

After you created the SSL interception rule, create a Web Access Layer and rule to deny access to only the URI strings that Facebook Chat uses. 

  1. Add a Web Access Layer. Name the object, for example, "BlockFacebookChat".
  2. Create new URLs in the list:
  3. Right-click Destination and click Set.
  4. Select New > Request URL > Simple Match.
    • Add the following URLs:
      • facebook.com/ajax/chat
      • facebook.com/ajax/messaging
      • facebook.com/ajax/mercury
      • facebook.com/messages
      • facebook.com/messaging
      • .*\-edge\-chat\.facebook\.com.* (NOTE: this item should be listed as a regular expression match.)
    • Click Close.
      Note: Facebook has combined chat and messaging functions.
  5. Right-click Destination and click Set. Select New > Combined Destination Object and then name the destination, such as "FacebookChatURLs".
  6. Add the URLs from step 4 to the box on the right; leave the other box empty.
  7. Specify the following for the Web Access Layer:
    • Source = any
    • Service = any
    • Time = any
    • Action = Deny
    • Track = none
  8. Click Install Policy to install the policy.

 This rule generates the following CPL: 

;; Description: 

define condition __CondList1FacebookChatURLs
    condition=__CondList1FacebookChatURLs_urld
    url.regex=".*\-edge\-chat\.facebook\.com.*"
end

define condition FacebookChatURLs
    condition=__CondList1FacebookChatURLs
end

define url.domain condition __CondList1FacebookChatURLs_urld
    //facebook.com/ajax/chat  
    //facebook.com/ajax/mercury  
    //facebook.com/ajax/messaging  
    //facebook.com/messages  
    //facebook.com/messaging  
end

;; Tab: [BlockFacebookChat]

condition=FacebookChatURLs Deny ; Rule 1

 

Block using BCIS instead

NOTE: This is only possible on ProxySG running SGOS 6.6 or 6.7. Also the customer must have BCIS license instead of the BCWF license. This is an alternative to Step "2 Create a Web Access Rule" so do not apply both.

1. In the VPM add a new rule in any Web Access Layer

2. In the destination choose New > Application Operation give it a name, eg FACEBOOK_CHAT

3. Under Supporting application type is "facebook" and then tick Facebook

4. Under Operations (filtered) tick Post Messages and Send Email

5. Click OK and OK again and finally install the policy.

Attachments