A number of internal users should be allowed to access WebSocket based applications, yet most should be blocked.
Can define a policy that blocks access to each domain, but wanted a more generic rule to block all web socket based applications
Every policy change made allowed all users to access websocket applications instead of blocking
WSS access via WSSA and Explicit
Have Management Center for configuration and using VPE for creating rules
1. Must make sure that SSL interception is enabled for all Websocket sites and
2. Modified CPL to add force_deny on the http.websocket check as shown below
From the Content Policy Language reference guide, the following http.websocket check can be used to determine whether a web socket upgrade in existing request is happening.
The WebSocket protocol provides simultaneous two-way communications channels over a single TCP connection by detecting the presence of a proxy server and tunneling communications through the proxy. To upgrade an HTTP connection to a newer HTTP version or use another protocol such as WebSocket, a client sends a request with Upgrade, Connection, and other relevant headers. Previous versions of SGOS did not allow WebSocket handshakes to complete, but supported versions allow the handshake to complete successfully. Supported versions also detect WebSocket traffic and allow you to perform specific policy actions.
Layer and Transaction Notes
• Use in , , and layers.
• Applies to HTTP and HTTPS transactions.
• Conditions: client.protocol=
The following example blocks all WebSocket traffic to testsite.com. url.domain=testsite.com http.websocket=yes DENY
url.domain=testsite.com http.websocket=yes DENY