https://www.youtube.com is allowed through the ProxySG though there is a policy to Deny Audio/Video Clips Category

book

Article ID: 168529

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The ProxySG is in transparent mode, port 443 is intercepted as TCP Tunnel or SSL, and a policy has been made to Deny access to Audio/Video Clips Category, but users still have access to https://www.youtube.com.

Filtering for other HTTPS sites is working as https://www.facebook.com is categorized as Social Networking and being blocked by the ProxySG.

Resolution

Intercepting SSL traffic as TCP Tunnel or SSL without having an explicit SSL Intercept Layer will not reveal the URL to which the client is going. The ProxySG only sees SSL request or TCP connect to specific IP address.

The BCWF database or any other web filter database can contain some entries for specific IP’s so these IP’s will be categorized correctly.

If these IP’s are not categorized, then the ProxySG most likely will allow this connection based on the configured policy.

For https://www.youtube.com, a policy trace may contain the following requests:

ssl://74.125.224.59:443
ssl://74.125.224.44:443
and other SSL requests to other IP’s

These IP addresses are categorized as Search Engines as these IP addresses represent also https://www.google.com, and then these servers (Google servers) will redirect the request for YouTube webpage to the YouTube server based on the URL embedded on the encrypted connection.

SSL Intercept Layer must be in place to be able to read the exact URL of YouTube and then be able to block it as an Audio/Video Clips site.