How to Block webmail with WSA with splash page warning

Mark Kwan · ‎02-13-2016

Recently been task with the assignment of block all Internet webmail sites. We currently use WCCP to redirect 80 and 443 traffic to WSA. The requirement is to block Webmail access for most of our subnets except for subnets that was created for GUEST access. However, when the sites gets blocked, the Splash warning page ( similar to what a site gets block via WSA by category) must also appear. Having an issue doing this. While we have try to use the block webmail option in the default url category that comes ship with the WSA , it blocks but the splash page is not appearing. Has anybody done this with the WSA successfully with the requirements that I described ?

Regards

Handy Putra · ‎02-13-2016

Hi

Can you elaborate more regarding the splash warning that you are referring to.

At the moment you have advised that the webmail has been block however the splash page is not appearing, what do you get when blocking the webmail at the moment? do you get the browser block page at the moment such as page cannot be display, etc?

And you want to get the block page from the WSA appliance that advising blocking policy for webmail? if this is true, since most of the webmail sites are HTTPS sites therefore make sure in your HTTPS proxy page (GUI -> Security Services -> HTTPS proxy) you have tick the option for "Decrypt for End-User Notification" and "Decrypt for End-User Acknowledgement".

Then in your decryption policy, you can set the webmail category to 'drop' and you should be getting the block page from the WSA.

(if you did not tick the options from the HTTPS proxy, when you set to 'drop' action from the decryption policy, you will be getting browser block page such as page can not be displayed, etc)

Mark Kwan · ‎02-14-2016

Handy, thanks for the response... Yes, the 'browser block page' is what I'm referring to. Both of those options are checked off already in my WSA. Currently when a users get block from accessing a webpage you get the block page. I just need that to also be available when a webmail site is being access and blocked such as for mail.com or gmail.com. Right now, my results are inconsistent on when I get the page. Sometimes, it gets block and I get the page and sometimes you just see the website mail connection not being made but no blocked page appears

I also have a order of access logic problem... I use the private subnet of 10.0.0.0/8 internally. I carve it up to a bunch of /24 and assign as necessary. So I have some subnets that are 'normal' user subnets and some that are printers, server, guest access, etc. So some subnets have more elaborate setting such as the servers subnets cannot browse the internet in general but can access certain website to get patches and updates. Even on subnets where it's blocked in general, certain hosts get browsing access. I need to preserve all these access types while trying to block webmail to the guest subnets.

so do I have to created an Identity which contains all my Guest subnets, tied it to a decryption policy ? Make sure it sit high enough up on the decryption policy page ( so it examined first by the WSA) , then via the predefined URL category filtering area, make the adjustment to block webmail while allowing everything else ? Do I need to any type of access policy ?

Thanks in advance.

Handy Putra · ‎02-15-2016

Hi Mark,

The way the Identities and policies works in WSA is pretty much the same as ACL, it will read from top to buttom till condition met.

The more restrictive identities and policies recommend to put at the top and to meet the condition for certain identity or policy is using 'and' condition (not 'or' condition).

You can create the guest subnets on separate identity and put right at the top therefore the traffic that comes from those subnets will hit the first one right away and assign policies to it.

Please note: access policy is policy for HTTP traffic(port 80) and decryption policy is for HTTPS traffic (port 443) - if you set decryption policy to decrypt means that the HTTPS traffic will be decrypted and will become normal HTTP traffic and will go to access policy.

Also would recommend to contact TAC team if you require to to review your configuration and to troubleshoot in depth with actual traffic and actions that the appliance taken.

Hope the above helps.

Regards

Handy

Mark Kwan · ‎02-16-2016

Handy, the issue seem to be a bit deeper than that.. Gmail and yahoo while getting blocked ( with the decryption policy) the block page is not coming up. From what we understand, it's because the WSA is classifying them as search engines sites and not web portal. Have you hear about this issue ?

Handy Putra · ‎02-21-2016

Hi Mark,

https://mail.google.com/ for gmail should be categorised as web mail (IW_mail from the accesslogs if you are using pre-define categories)

so is Yahoo mail (mail.yahoo.com) should be classified as web mail category.

Would recommend to open a TAC case to analyse in depth and details from your logs and review the configuration.