I have enabled https decryption and enrolled in EAP in order to test blocking of subfolders.
As an organisation we have blocked https://sites.google.com due to the high number of phishing pages served on there, however there are a few sites we want to explicitly enable. Up to now this has not been possible.
I have found that if we have an allow rule for sites.google.com/example/example or whatever, and a block role for sites.google.com, without the EAP the whole site is blocked.
When we enable https decryption I find that it works as expected but there are some times when all of sites is allowed, instead of just the subfolder of the site.
After a bit of puzzling around this I managed to replicate when this happens,
open the browser,
visit the sites.google.com and it will be blocked, visit the subfolder and it will be allowed (the site certificate is signed by the root sophos cert)
Visit mail.google.com (which is excluded as webmail) - the cert is a google one
go back to sites.google.com - the google cert is used and the site is allowed.
I think this is a choice of cert issue
I feel that if there is a site block in place it should be honoured whether decryption is enabled or not, I would prefer the sites.google.com site to be blocked and have to advise users to open up an incognito window to get to the subsite.
Ideally he cert issue could be fixed, but a good stop gap would be to ensure unencrypted websites work the same as they did before, whereby a block takes precedence.
