topic Cannot block https proxies ... in Web Security

Cannot block https proxies ...

Gawayne_ironport — Tue, 16 Dec 2008 05:32:07 GMT

For some reason

I checked the firewall to verify 443 traffic was still being sent to the WSA
The decryption policy was set to Monitor.
Changed this to Decrypt.
Verified that it is set to Block in the Access Policies.

Policy Trace seems to not work for http ... everything comes back "Transaction permitted" with no webcat listed.
For https, testing a proxy site comes back:
URL Category: Proxies & Translators
Policy Match:
... (all global, which has Proxies set to Monitor now)
Request completed
Details: PASSTHRU_ADMIN

Tailing the grep does no good ... it's only showing when I attempt https, not https, but https traffic is indeed being forwarded from the same place https is.

Any help would be appreciated.

Re: Cannot block https proxies ...

jowolfer — Wed, 17 Dec 2008 00:35:38 GMT

Gawayne,

What is the WBRS score of the site that you are attempting to access? If the WBRS score is 6+ or greater, the HTTPS action will be Pass Through.

If the score is incorrectly high, we may need to report this to IronPort in order to have the score adjusted accordingly.

Re: Cannot block https proxies ...

Gawayne_ironport — Wed, 17 Dec 2008 02:22:25 GMT

I've scoured both your site and the WSA admin panel, but can't find anything referencing where to look up this information. I see where to look up the categorisation and Webroot score, but no WBRS ...

Although ... how does allowing a blocked category make sense, no matter what the web reputation is, though?

FYI: particular site in question is: www.kproxy.com (and it's sub servers -- server1. server2. server3. etc)

Re: Cannot block https proxies ...

jowolfer — Thu, 18 Dec 2008 00:01:31 GMT

Gawayne,

You can verify the WBRS score from the access logs. Here is a sample access log line:

Thu Dec 11 10:42:02 2008 22 10.1.1.29 TCP_MISS/200 66187 GET http://www.foxnews.com/ DOMAIN\user@AD DIRECT/www.foxnews.com text/html ALLOW_WBRS-WhiteList-DefaultRouting - News -

I've checked the score and the score is -0.70

The reason the WBRS score is relevant is that if an HTTPS site has a 6.0+ score it will be "passed through" the WSA. Any traffic that is passed through is essentially allowed through the WSA, since the stream will be encrypted between the client and the web server.

This behavior can be changed via the HTTPS WBRS policies.

I recommend opening up a support ticket, as this is probably going to require some further specific troubleshooting.