This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transparent Mode proxy and Filtering Options - Websites

Hi all,

Maybe this question is asked before, but I cannot find a clear answer on this.

Scenario:

Our company uses Standard Mode proxy for our Citrix Xenapp environment. Untill last year, internet was only allowed thru your Citrix environment.

Last year we decided to open up internet connection from everyone's client by using the Transparent Mode proxy, so we created a profile and added the client subnets as Allowed Networks. We set it on AD-SSO authentication and are using a Base Policy that blocks all categories and uses a specific user policy (with AD domain users) that allows some categories.

Now regularly we see some issues with this: 

1st: Often the user is not authenticated. in the Web filter logging you can see this by an empty username and ad_domain.

Logging example:

2021:01:29-10:51:24 [name of UTM] httpproxy[26192]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.10.193" dstip="" user="" group="" ad_domain="" statuscode="403"

So we decided to change that default Base Policy to open up the same categories as the users policy. That is of course not what we want, but several tries to fix it didn't help.

2nd: When the user is indeed authenticated, the website, for example a Youtube video is not opening and blocked by Surf Protection. Even when we created a Website exception in Filtering Options - Websites. (on complete url, not just youtu.be or youtube.com)

Logging example:

2021:01:29-15:50:45 [name of UTM] httpproxy[26192]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.160.100" dstip="" user="[username]" group="Active Directory Users" ad_domain="[our domainname]" statuscode="403" cached="0" profile="REF_HttProContaInterLan (Transparant Proxy voor clients lokaal)" filteraction="REF_HttCffUsersConteFilte (Users content filter action)" size="3165" request="0xc0f53500" url="">https://youtu.be/" referer="" error="" authtime="62" dnstime="0" aptptime="103" cattime="87" avscantime="0" fullreqtime="225084" device="1" auth="2" ua="" exceptions="" reason="category" category="147" reputation="trusted" categoryname="Streaming Media"

Indeed, this Streaming Media category is blocked in the Users content filter, as soon as I allow this it will work.

But why doesn't it see the Website exception that we created for that specific youtube video? 

When I add the website exception 'youtu.be' it does work fine, but we want to block Streaming Media sites like youtube and only open up specific video's or other specific websites, not only domains.

I hope someone can clear this up and point me to the right direction.

Many thanks!



This thread was automatically locked due to age.
  • I have written quite a bit about web filtering, which has been accepted into the recommended reads.   Two quick observations:

    1) UTM web filtering works correctly.

    2) Youtube uses https:

    If decrypt-and-scan (https inspection) is off, UTM can allow or block the connection, but it cannot filter content once the connection is made.

    HTTPS inspection has other issues, so do not flip the switch without studying the impact.

    3) You probably have fat-client applications that are incompatble with AD-SSO.

    A lot of things on your computer use HTTP or HTTPS from fat-client applications that cannot do AD-SSO authentication.   This includes all of the auto-update stuff on your computer:  AntiVirus updater, Java updater, WindowsUpdate, Adobe updater. etc,   There are probably some installed applications that use http or https as well.   Because of these concerns, I only use AD-SSO for Stnadard Mode.   In transp[arent mode, I use authentication NONE

  • Hoi Wouter and welcome to the UTM Community!

    If Doug's comments didn't help you find the solution, show us a picture of the Edit of the Exception you created that failed to be applied.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your replies  and 

    So now I changed the authentication in our Transparant Mode Proxy profile to NONE. Still the same result though.

    The HTTPs inspection was active, with category checking. Also tried it to turn it off, same result. So what is the best practise here, enable or disable https decrypt-and-scan?

    And even if the Website Filtering Options doesn't work with HTTPs and Transparent Mode proxy, why does filtering 'youtu.be' does work?

    When I add that one, it instantly allows youtu.be, but when I filter a specific video, like the screenshot, it doesn't work and gives the error

    Our Transparent Mode proxy profile:

    Please help me to understand the trans.mode proxy in combination with HTTPs, and what the best practises are here.

    Thanks again!

  • When https inspection is off, UTM only sees the host name, and can only filter on that.   The rest of the path is in the encrypted part of the packet, so it is invisible.

    To filter on the path, https inspection must be on.   Based on your symptoms, it sounds like https inspection is still off.

  • My biggest frustration with https inspection is that UTM uses an old version of OpenSSL which provides FIPS compliance but does not support the newer encryption algorithms.   As a result, some websites will refuse to connect with UTM, and you will have to configure inspection bypass for those sites.  Over time, the number of affected sites is likely to increase, while UTM development seems to have no plan to update the OpenSSL subsystem.   I used https inspection for awhile, but I have currently given up on it.

    Some websites do unusual things that also encounter problems with https inspection, and I cannot provide a general description of when or why problems will occur.   It means that you really need to do intense monitoring of your logs to find and fix the problems that https inspection creates with those sites.   That effort requires good log parsing tools, which you need to create first.   I have documented my approach to log parsing, which is based on a SQL database.  If you have a SYSLOG parsing tool like Splunk, the problem should be easier.   But in either case, you need to study the logs to understand what they are reporting..