Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13514
Views
5
Helpful
4
Replies

WSA how to filter HTTPS urls without decrypting

Go to solution
Martin Harrow
Level 1
Level 1

‎04-24-2014 10:57 AM

 
Labels:
Preview file
183 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kushsriva
Level 1
Level 1
In response to Martin Harrow

‎04-27-2014 12:03 AM

Hi,

 

When you create a Decryption policy, under the Section Identities you get an option to select "Guests(users failing authentication)". 

So here's what you can try:

- Create a Decryption policy for only guest users. 

- Under URL filtering select the categories you want to block for the unauthenticated users like Social Networking, Streaming Audio/Video etc.

- In the default policy, you can select the traffic to "Pass through" or "Monitor" so that for the other users, the traffic is not decrypted.

 

Please Note: For this to work properly, the option "Decrypt for Authentication" under HTTPS proxy settings must be enabled.

 

Please refer to Chapter 11 "Create Decryption Policies to Control HTTPS Traffic" for more information.

 

Regards,

Kush

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Poonam Garg
Level 3
Level 3

‎04-24-2014 10:01 PM

In transparent mode HTTPS Proxy must be activated for HTTPS traffic.

If you don't want particular users to access certain https sites with out decryption , you can define those urls in custom url categories and under decryption policies :

1. Exclude that custom url category from global decryption policy

2. Create new decryption policy for those identities you want to block request and then under categories include that custom url. Default action you will get for this category is monitor .

3. If you leave it as such then it continues to evaluate the client request against other policy group control settings, such as web reputation filtering or you can use drop action if you do not want to  pass the connection request to the server. The appliance does not notify the user that it dropped the connection.

 

HTH

"Please rate useful posts"

Go to solution
Martin Harrow
Level 1
Level 1
In response to Poonam Garg

‎04-25-2014 06:00 AM

Dear Poonam, Thank you for the feedback.

Yes, HTTPS Proxy is activated, and I have loaded a Cert from my Active Directory CA.

My requirements is simple:

- unauthenticated users: Block:  Social_Networking and Streaming_Video. This must block HTTP and HTTPS connections to FACEBOOK and YOUTUBE

- authenticated users in AD Group=MultiMedia:  Allow: Social_Networking and Streaming_Video. This must pass  HTTP and HTTPS without decryption 

I do not have any special Custom URLs, I want to use the WSA categories.

I have tried to create Decryption Policies and Access Policies, but it does not meet my requirement.

 

Can you think how to meet my requirement.

Martin

 

0 Helpful

Go to solution
kushsriva
Level 1
Level 1
In response to Martin Harrow

‎04-27-2014 12:03 AM

Hi,

 

When you create a Decryption policy, under the Section Identities you get an option to select "Guests(users failing authentication)". 

So here's what you can try:

- Create a Decryption policy for only guest users. 

- Under URL filtering select the categories you want to block for the unauthenticated users like Social Networking, Streaming Audio/Video etc.

- In the default policy, you can select the traffic to "Pass through" or "Monitor" so that for the other users, the traffic is not decrypted.

 

Please Note: For this to work properly, the option "Decrypt for Authentication" under HTTPS proxy settings must be enabled.

 

Please refer to Chapter 11 "Create Decryption Policies to Control HTTPS Traffic" for more information.

 

Regards,

Kush

0 Helpful

Go to solution
Martin Harrow
Level 1
Level 1
In response to kushsriva

‎04-27-2014 09:56 AM

Dear Kush

Thanks for the reply.... you advise to start with a new Decryption Policy for Guest users. So I have now created several Decryption Policies, for Guests, Authenticated Users, VIP Users. The Guest URL Filtering is set to DROP many Categories and to Pass Through the rest, and the VIP Policy drops only the worse categories (Porn, etc) and Pass Through most. If I set the HTTPS Filter=Monitor, then it will decrypt.

I think it is working as I need it, but as a Guest User I can still bypass the Ironport block by entering http://www.youtube.com  into Internet Explorer v8 (XPsp3) - However, on the same PC with Firefox v28 https://www.youtube.com is blocked.  (IE8 detects the traffic as "SRCH" traffic to 74.125.21.95:443, Firefox detects category "VID" to 74.125.196.91:443)

I'll do some more testing, then feedback to the forum again...

Martin

PS. What I don't like about the solution: I need to setup two  sets of URL Category Filters: for the HTTPS proxy (under Decryption Policies) and for the HTTP proxy (under Access Policies)  - even though I want the same Group based filters for HTTP and HTTPS.  I did not expect to have to setup two separate sets of filters.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents