For the love of all that is holy, WEBSOCKET.
When will this be supported? More and more real-time applications are using this. It became an IETF standard in 2011. It is used more and more by real-time applications, none of which work if HTTPS Decrypt-and-Scan is turned on, and there is little to no excuse for it.
I presume (though I do not know for sure) that the underlying proxy is Squid - and Squid DOES support proxying WebSocket connections.
Please, for all that is good and holy, fix the web filter to allow Websocket communication during HTTPS D&S without having to exempt each and every site that uses it. That is extremely insecure and not a good solution when dealing with the sheer number of WebSocket-based sites and what not out there right now.
To get attention to your issue there are two things you should do
1/. ask your reseller to provide a timeline
2/. add a feature request with the details then post back here asking for support of your feature request from other forum users.
Xeon 1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP
XG115W - v18.5.2
Ahem. I AM a reseller, and it HAS been a "feature request" since nearly day one, as it was noticed as a limitation DAY ONE in V15.
Websocket is a standard. We shouldn't be having to beg for it to be added.
UTM, SMC, SGN Certified Engineer / XG Certified Architect
Sorry, was not aware that you are a reseller. Does the feature request have much support?
No - but that is likely because adoption of Decrypt and Scan is NOT very high, because it is a pain in the ass for most people to implement properly, and because when people run across the WebSocket issues, they just disable the filtering completely on that site, not realizing what websocket is...
"huh, filtering must just break this site... Ok, exclude this site, ad we're done..." Or... they're blocking those categories of sites anyway, and don't care.
That just doesn't work for larger site deployments, IMHO, like colleges, some smaller but tech-savvy companies, etc, where you want D&S, but also need to be able to allow the students or your employees to access these communication services... and it _IS_ becoming more prevalent.
WebRTC and WebSocket both.... and HTTPS D&S kill the hell out of them.
Just to add, it is a big issue,
Currently our process is either "Sorry it is not supported" or depending on the site we add an exclusion.
It would be great to have Websocket support.
Any news on this?Meanwhile one year is gone and it looks like Sohpos WAF still is far away to support WebSockett.
Is Sophos the right product ready for the future?
Just btw... we logged a feature request for this in OCTOBER 2013: ideas.sophos.com/.../4849021-websocket-support-for-waf
Same here we use allot of esxi hosts and the sophos firewall but the newer version only work tyrough a websocket webclient witch just doenst work.
I shure hope this is getting trough as a supported feature so esxi newer versions are able to be conntect trough a websocket from outside the network at specified ips.
so they wont be set open to the whole world.
XG can bypass Websockets in WAF.
Did you try to use this option?
that is just the point it needs to be protected in the way that only specified adress will have acess to the esxi hosts. and with out protection or any firewall interference that cant be setup