This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Control does not block youtube

I have Sophos Cloud and I make a rule in sophos Policies for block Youtube access, but it does not works fine, some users have access to youtube despite of the police.

 

  • i made the rule addering new "Control sites tagged in Website Management"


This thread was automatically locked due to age.
Parents Reply Children
  • Thanks Karlos, I am sending you the screenshot for your review

     

    and in "control sites tagged in Website Management"

     

    Thanks for your answer.

  • Thank you for that.

    It looks like you have configured it correctly. You mentioned SOME users are still able to have access to youtube. Did you separate policies by users/user groups? 

    Ensure there are no overlap with users that belong to multiple policies. 

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Thanks so much for replay, I confirm you that all of users are in the same group, for example in my laptop computer, i use googole chrome and i uses two chrome profiles, in one profile i have acces to youtube and the second profile i haven´t access.

     

     

    both pictures are in the same laptop and same windows user.

  • It looks like you have configured it correctly. You mentioned SOME users are still able to have access to youtube.

  • I can't be sure what's going on but can at least explain how it can work and what to check.

    The Sophos Endpoint Proxy, which proxies the content at the client to inspect traffic does not crack open HTTPS.  Therefore, to classify a HTTPS site it relies on obtaining the SNI record from the handshake.  This is basically the domain trying to be accessed.  For example:



    Given this string the web intelligence service can make a SXL lookup for this domain and get back a category to pass back to the filter to make a decision for the site such as block/warn/allow.

    If you add the SNI as a column in Wireshark:


    which is:
    ssl.handshake.extensions_server_name

    You can then add a filter for traffic that contains a SNI.  E.g. ssl.handshake.extensions_server_name !=""


    If the domain you're trying to block is not in that list then I guess the address will not be obtained for the proxy to make use of.  Is this the case?

    I wonder if there is a compatibility issue with HTTP/2 (previously know as SPDY) and QUIC.  If you look at the traffic in the Developer Tools, Youtube does make use of these:


    I wonder if it works with say IE?

    Maybe QUIC is being used in one case not another for example?  You can disable QUIC to rule that out in the browser settings (chrome://flags/):

    Things to toggle anyway.

    Regards,
    Jak