This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Endpoint Protection Web Control does not seem to work for youtube.com on Chrome

hi,

 

We have a Web Control policy in place for a device where all settings are manual and "block".

We also have youtube.com added in Website Management with a tag "youtube" that is then set to "block" on that policy.

Still we are able to browse to youtube on this device using Chrome. Using IE everything is blocked as intended. Chrome is up to date and without extensions.

Customer service said policy is configured correctly and that "client environment" is at fault.

Have anyone encountered this?

 

Regards,

JT



This thread was automatically locked due to age.
Parents Reply
  • Hi Yashraj,

     

    Thanks for looking into this . The call I had opened for this issue was closed and Chrome was established to be the culprit. Customer has since decided to use IE on this device instead.

    Still it would be interesting to find out if this could be fixed somehow. For the remote access and license - we are MSP and it does not work, at least this is what I was told on some recent calls I had opened.

     

    JT

Children
  • Hi JT,

     

    I have another call open for this issue ant the support is working for an answer. It seems there is a general Problem with blocking Google Services in Chrome. I will report if i get an answer that will explain the behaviour.

     

    regards

    Ecrook

  • Hi Ecrook,

     

    Thanks, perhaps you will get more info on it than we did.

     

     

    JT

  • Hi JT,

     

    We finally figured out what is causing the problems in our infrastructure. As simple stupid as it is after we cleaned the complete Chrome Cache and the Webprotection works as expectet.

     

    Regard´s

    Silvio

  • Hi Silvio,

     

    Was it that simple? I will keep this in mind next time we got this issue. For now we used a different browser. Thanks for the update.

     

     

    Regards,

    JT

  • Just a two cents but this does feel like it could be down to the Google QUIC protocol which is HTTPS over UDP which cannot be filtered even by UTM/XG web filters (yet) .

    When QUIC is blocked, chromium browsers will fallback to TCP and generally blocking and app control will work correctly. Clearing the cache forces Chromium browsers to connect via HTTPS then when they establish the remote server is QUIC capable they switch. So you are now blocking the initial connection which is visible to web control but if you were to turn off webcontrol, connect to youtube and do a bit of surfing on it then turn webcontrol back on i would expect the block to fail again.

    In some cases i have actually deployed an outgoing FW rule on windows via GPO to block outgoing 443 UDP to prevent Google QUIC bypassing web filters on devices not behind corp firewalls.

    May not be the cause but i have seen this behaviour before.

    Emile

  • Yes it was that simple, at least in our Infrastructur.

    I didn´t thought about the cache for a minute because i expected the Chrome Cache is working similiar like all the other browser baches.  But it seems when it comes to Google Services, Chrome has a different behaviour how to handle caching objects.

  • Hi Emile

     

    Ok that sounds like it could be the cause. I will double check that in our enviroment.

    But to be honest this an answer i expected to get from the Sophos Technican :/ . But in case of that i played call ping pong with the support for until 6 weeks. That´s a bit annyoing.

     

    Thanks for your two cent´s :)

     

    Regard´s

    Silvio

  • Hi Silvio,

    I understand your frustrations, it's the difference between on the ground knowledge and KB article/training knowledge that unless the support guys have a very diverse resolution portfolio they may not have encountered things like this.

    If you have had a negative experience with Support I would recommend sending your thoughts to your account manager, partner or partner account manager (depending whether you're a customer/partner) because they are always looking to improve support and feedback helps do this :)

    Emile

  • Yeah, i know and it wouldn´t be the first time i reached out hands to our partner manager. But this problem wasn´t that urgent that i have to escalate the case. I know about the fact was first level means and I wasn´t really dissapointed until your two cent´s XD .

    Anyways, may problem is solved and with your explanation i also have a satisfactory explanation for the behaviour :)

     

  • Ha ha, shouldn't have said anything then you wouldn't have been disappointed!

    Glad to have helped nevertheless.

    Emile