Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 3021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transparent Mode proxy and Filtering Options - Websites

Wouter Goossens

Hi all,

Maybe this question is asked before, but I cannot find a clear answer on this.

Scenario:

Our company uses Standard Mode proxy for our Citrix Xenapp environment. Untill last year, internet was only allowed thru your Citrix environment.

Last year we decided to open up internet connection from everyone's client by using the Transparent Mode proxy, so we created a profile and added the client subnets as Allowed Networks. We set it on AD-SSO authentication and are using a Base Policy that blocks all categories and uses a specific user policy (with AD domain users) that allows some categories.

Now regularly we see some issues with this: 

1st: Often the user is not authenticated. in the Web filter logging you can see this by an empty username and ad_domain.

Logging example:

2021:01:29-10:51:24 [name of UTM] httpproxy[26192]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.10.193" dstip="" user="" group="" ad_domain="" statuscode="403"

So we decided to change that default Base Policy to open up the same categories as the users policy. That is of course not what we want, but several tries to fix it didn't help.

2nd: When the user is indeed authenticated, the website, for example a Youtube video is not opening and blocked by Surf Protection. Even when we created a Website exception in Filtering Options - Websites. (on complete url, not just youtu.be or youtube.com)

Logging example:

2021:01:29-15:50:45 [name of UTM] httpproxy[26192]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.160.100" dstip="" user="[username]" group="Active Directory Users" ad_domain="[our domainname]" statuscode="403" cached="0" profile="REF_HttProContaInterLan (Transparant Proxy voor clients lokaal)" filteraction="REF_HttCffUsersConteFilte (Users content filter action)" size="3165" request="0xc0f53500" url="">https://youtu.be/" referer="" error="" authtime="62" dnstime="0" aptptime="103" cattime="87" avscantime="0" fullreqtime="225084" device="1" auth="2" ua="" exceptions="" reason="category" category="147" reputation="trusted" categoryname="Streaming Media"

Indeed, this Streaming Media category is blocked in the Users content filter, as soon as I allow this it will work.

But why doesn't it see the Website exception that we created for that specific youtube video? 

When I add the website exception 'youtu.be' it does work fine, but we want to block Streaming Media sites like youtube and only open up specific video's or other specific websites, not only domains.

I hope someone can clear this up and point me to the right direction.

Many thanks!



This thread was automatically locked due to age.
Parents
  • 0

    I have written quite a bit about web filtering, which has been accepted into the recommended reads.   Two quick observations:

    1) UTM web filtering works correctly.

    2) Youtube uses https:

    If decrypt-and-scan (https inspection) is off, UTM can allow or block the connection, but it cannot filter content once the connection is made.

    HTTPS inspection has other issues, so do not flip the switch without studying the impact.

    3) You probably have fat-client applications that are incompatble with AD-SSO.

    A lot of things on your computer use HTTP or HTTPS from fat-client applications that cannot do AD-SSO authentication.   This includes all of the auto-update stuff on your computer:  AntiVirus updater, Java updater, WindowsUpdate, Adobe updater. etc,   There are probably some installed applications that use http or https as well.   Because of these concerns, I only use AD-SSO for Stnadard Mode.   In transp[arent mode, I use authentication NONE

Reply
  • 0

    I have written quite a bit about web filtering, which has been accepted into the recommended reads.   Two quick observations:

    1) UTM web filtering works correctly.

    2) Youtube uses https:

    If decrypt-and-scan (https inspection) is off, UTM can allow or block the connection, but it cannot filter content once the connection is made.

    HTTPS inspection has other issues, so do not flip the switch without studying the impact.

    3) You probably have fat-client applications that are incompatble with AD-SSO.

    A lot of things on your computer use HTTP or HTTPS from fat-client applications that cannot do AD-SSO authentication.   This includes all of the auto-update stuff on your computer:  AntiVirus updater, Java updater, WindowsUpdate, Adobe updater. etc,   There are probably some installed applications that use http or https as well.   Because of these concerns, I only use AD-SSO for Stnadard Mode.   In transp[arent mode, I use authentication NONE

Children
No Data
Unfiltered HTML