This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When will WebSocket be supported?

WebSocket.

For the love of all that is holy, WEBSOCKET.

When will this be supported? More and more real-time applications are using this. It became an IETF standard in 2011. It is used more and more by real-time applications, none of which work if HTTPS Decrypt-and-Scan is turned on, and there is little to no excuse for it.

I presume (though I do not know for sure) that the underlying proxy is Squid - and Squid DOES support proxying WebSocket connections.

Please, for all that is good and holy, fix the web filter to allow Websocket communication during HTTPS D&S without having to exempt each and every site that uses it. That is extremely insecure and not a good solution when dealing with the sheer number of WebSocket-based sites and what not out there right now.

Please?

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 7 years ago

To get attention to your issue there are two things you should do

1/. ask your reseller to provide a timeline

2/. add a feature request with the details then post back here asking for support of your feature request from other forum users.

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 ChavousCamp over 7 years ago in reply to rfcat_vk

Ahem. I AM a reseller, and it HAS been a "feature request" since nearly day one, as it was noticed as a limitation DAY ONE in V15.

Websocket is a standard. We shouldn't be having to beg for it to be added.

--

Chavous Camp

UTM, SMC, SGN Certified Engineer / XG Certified Architect
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to ChavousCamp

Sorry, was not aware that you are a reseller. Does the feature request have much support?

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 ChavousCamp over 7 years ago in reply to rfcat_vk

No - but that is likely because adoption of Decrypt and Scan is NOT very high, because it is a pain in the ass for most people to implement properly, and because when people run across the WebSocket issues, they just disable the filtering completely on that site, not realizing what websocket is...

"huh, filtering must just break this site... Ok, exclude this site, ad we're done..." Or... they're blocking those categories of sites anyway, and don't care.

That just doesn't work for larger site deployments, IMHO, like colleges, some smaller but tech-savvy companies, etc, where you want D&S, but also need to be able to allow the students or your employees to access these communication services... and it _IS_ becoming more prevalent.

WebRTC and WebSocket both.... and HTTPS D&S kill the hell out of them.

--

Chavous Camp

UTM, SMC, SGN Certified Engineer / XG Certified Architect
Cancel
Vote Up 0 Vote Down

Cancel
0 Bohdan.S over 7 years ago in reply to ChavousCamp

Just to add, it is a big issue,

Currently our process is either "Sorry it is not supported" or depending on the site we add an exclusion.

It would be great to have Websocket support.

Regards,
Bohdan
Cancel
Vote Up 0 Vote Down

Cancel
0 Tobias_F over 6 years ago in reply to Bohdan.S

Any news on this?
Meanwhile one year is gone and it looks like Sohpos WAF still is far away to support WebSockett.

Is Sophos the right product ready for the future?
Cancel
Vote Up 0 Vote Down

Cancel
0 Marceldu Preez over 6 years ago in reply to Tobias_F

Just btw... we logged a feature request for this in OCTOBER 2013: ideas.sophos.com/.../4849021-websocket-support-for-waf
Cancel
Vote Up 0 Vote Down

Cancel
0 Michel Boon over 5 years ago in reply to Marceldu Preez

Same here we use allot of esxi hosts and the sophos firewall but the newer version only work tyrough a websocket webclient witch just doenst work.

I shure hope this is getting trough as a supported feature so esxi newer versions are able to be conntect trough a websocket from outside the network at specified ips.

so they wont be set open to the whole world.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Michel Boon

XG can bypass Websockets in WAF.

Did you try to use this option?

WebSocket passthrough

If enabled, applications hosted on the defined site path are allowed to use the WebSocket protocol. WebSocket traffic will be just passed through, it will not be protected in any way.

http://docs.sophos.com/nsg/sophos-firewall/v17.1.3/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FSitePathRouteEdit.html%23

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 5 years ago in reply to Michel Boon

XG can bypass Websockets in WAF.

Did you try to use this option?

WebSocket passthrough

If enabled, applications hosted on the defined site path are allowed to use the WebSocket protocol. WebSocket traffic will be just passed through, it will not be protected in any way.

http://docs.sophos.com/nsg/sophos-firewall/v17.1.3/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FSitePathRouteEdit.html%23

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Michel Boon over 5 years ago in reply to LuCar Toni

that is just the point it needs to be protected in the way that only specified adress will have acess to the esxi hosts. and with out protection or any firewall interference that cant be setup
Cancel
Vote Up 0 Vote Down

Cancel