Using Websense : Trying to block https proxy

[cyr0n_k0r]

We are using Websense 6.x

I am trying to filter a particular site (https://proxify.us)
I have no problem filtering the non https version of the site, however websense just can't seem to block the secure version.

I have the following URL's in user-defined to try and block it.

http://proxify.us
https://proxify.us
https://66.98.131.223:443

The bottom two should block the site according to everything I've read on the matter, but employees can still get to it. (No, it's not in their cache)

 

[PHILIP1193]

in the content filter have you told it to block "proxy avoidance" web sites as that may catch it?

Phil

 

[Retronym]

wow sweet site

 

[cyr0n_k0r]

Yes, we have proxy avoidance blocked, and the http version of the above site is blocked under that category, but it's not catching the https version.

 

[OmegaAvenger]

block the ip

 

[TopGun]

http://www.cpug.org/forums/content-security-security-servers-cvp-ufp/2901-websense-https.html

That might be of some help to you.

 

[`danny]

That is quite the site, I may have to try that tomorrow and "test" out their filtering system hehe.

 

[cyr0n_k0r]

block the ip

https://66.98.131.223:443

Thought of that.

 

[Martyr]

ah websense.

set up my own proxy at home for use at school. administration bitched and moaned. was good.

 

[Haleiwa]

You will need to set up a network agent and do protocol blocking.

 

[cyr0n_k0r]

You will need to set up a network agent and do protocol blocking.

Can you elaborate?

 

[MorfiusX]

How is your network setup? What firewalls are you using? There are some technical issues with HTTPS filtering using CheckPoint.

 

[Haleiwa]

I stand corrected

If you want to include protocols other than HTTP in your custom URL, you must specify the protocol prefix.

To include an HTTPS site as a custom URL, it is best to include both the URL or IP address and the port number (443), including a forward slash after the port number, as shown here:


https://domain.com:443/
https://64.10.10.59:443/

 

[cyr0n_k0r]

I stand corrected

I tried adding the slash after both of those, and also adding the port 443 after the domain name but it's still not working.

Also, whoever got the idea we are using software from Checkpoint we are not.

 

[Burnout01]

If you had the address in the allow and deny, would the deny out rank the allow?

 

[Method]

If you had the address in the allow and deny, would the deny out rank the allow?

It depends which rule is first in the Rules administrator

 

[MorfiusX]

I tried adding the slash after both of those, and also adding the port 443 after the domain name but it's still not working.

Also, whoever got the idea we are using software from Checkpoint we are not.

Someone posted a link to CPUG.

So, how is the network setup?j

 

[Haleiwa]

Are you using a pix/asa to send traffic to the websense box? If so you will need to also send https traffic to the websense box.

 

[cyr0n_k0r]

We are using a Pix Blade in our 6500, but I'm not sure if the traffic hits that first before websense. I will check with our network admin tomorrow.

 

[Captain Colonoscopy]

you need to specify in the pix configuration to send https traffic to websense. my guess is you are only sending http from the sounds of your problem. traffic hits the pix first then sends urls to your websense server.

 

[furchtlos]

you need to specify in the pix configuration to send https traffic to websense. my guess is you are only sending http from the sounds of your problem. traffic hits the pix first then sends urls to your websense server.

Exactly... Here's a sample from my ASA:

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

Not sure if it's the same for your PIX...