This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking Chrome Remote Desktop

XG135

I can't believe this isn't a more common question. I could only find this post:

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/96040/what-is-the-best-practice-approach-to-blocking-chrome-remote-desktop

I go to APPLICATIONS > Application Filter. Add> Create filter. Select Individual application > Chrome Remote Desktop, select > All The Time > Deny

Go back to FIREWALL > Default Policy. Choose Application Control Drop Down, select that filter.

And it's not working. (Did this exactly to block YouTube and it works).

This thread was automatically locked due to age.

Parents

+1 Karlos over 5 years ago

Hi Tony,

Do you have 'Decrypt & scan HTTPS' checked on your Firewall policy? Since Chrome Remote Desktop is a microapp, it is detected based on this setting.

You will need to deploy the CA when HTTPS scanning is enabled: Sophos XG Firewall: SSL CA certificate installation guide

Cheers,

Karlos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tony Argh over 5 years ago in reply to Karlos

I did not have that on. Doing that now,

Thank you Carlos!
Cancel
Vote Up 0 Vote Down

Cancel
0 Tony Argh over 5 years ago in reply to Tony Argh

Bwahahaha! AND it's off again. My phone just exploded and a line formed outside my door as everyone suddenly started getting security related messages.

The first call was "I just got knocked off Facebook!" My first thought being "Good!" :D But then got a call about USPTO.GOV.

I didn't even have time to install the cert. So I need to install that on every PC? ewww
Cancel
Vote Up 0 Vote Down

Cancel
0 Tony Argh over 5 years ago in reply to Tony Argh

Ah, I see I can probably install the Cert through GPO into my local machines TRA, yea?
Cancel
Vote Up 0 Vote Down

Cancel
0 Karlos over 5 years ago in reply to Tony Argh

Hi Tony,

Yes, pushing it out via GPO will probably the most efficient deployment method if you have to push out to a large volume of clients.

Good luck!

Karlos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 M8ey over 5 years ago in reply to Tony Argh

We push it via GPO to all Domain PC's and use Meraki MDM for all iOS / Android

We don't allow staff on the Corporate network WiFi so if their phones get that error - sucks to be them :-)

Sophos XG 450 (SFOS 18.5.1 MR-1)

Sophos R.E.D 50 x 2

Always configuring new stuff.....
Cancel
Vote Up 0 Vote Down

Cancel
0 Tony Argh over 5 years ago in reply to M8ey

I do allow them on my Unifi (separate) network that still runs through the XG. I use Microsoft MDM.

I also let guest and vendors use our Wifi when needed.

So this may not work for me.

I do have some spare external IP's... maybe I can segment the wifi.

Thanks for the comment! Appreciated.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Tony Argh over 5 years ago in reply to M8ey

I do allow them on my Unifi (separate) network that still runs through the XG. I use Microsoft MDM.

I also let guest and vendors use our Wifi when needed.

So this may not work for me.

I do have some spare external IP's... maybe I can segment the wifi.

Thanks for the comment! Appreciated.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Arie over 5 years ago in reply to Tony Argh

Be careful when you enable HTTPS intercept - be sure to exempt Finance, Health, etc.

Otherwise you'll have Legal knocking on your door next...

Also, be sure that your company's AUP states that employees should have no expectation of privacy on the corporate network. And don't include your guest network without checking with Legal first...
Cancel
Vote Up 0 Vote Down

Cancel