Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
3
Replies

Cannot block https proxies ...

Gawayne_ironport
Level 1
Level 1

‎12-15-2008 09:32 PM

For some reason

I checked the firewall to verify 443 traffic was still being sent to the WSA
The decryption policy was set to Monitor.
Changed this to Decrypt.
Verified that it is set to Block in the Access Policies.

Policy Trace seems to not work for http ... everything comes back "Transaction permitted" with no webcat listed.
For https, testing a proxy site comes back:
URL Category: Proxies & Translators
Policy Match:
... (all global, which has Proxies set to Monitor now)
Request completed
Details: PASSTHRU_ADMIN

Tailing the grep does no good ... it's only showing when I attempt https, not https, but https traffic is indeed being forwarded from the same place https is.

Any help would be appreciated.

Labels:
0 Helpful
3 Replies 3

jowolfer
Level 1
Level 1

‎12-16-2008 04:35 PM

Gawayne,

What is the WBRS score of the site that you are attempting to access? If the WBRS score is 6+ or greater, the HTTPS action will be Pass Through.

If the score is incorrectly high, we may need to report this to IronPort in order to have the score adjusted accordingly.

0 Helpful

Gawayne_ironport
Level 1
Level 1

‎12-16-2008 06:22 PM

I've scoured both your site and the WSA admin panel, but can't find anything referencing where to look up this information. I see where to look up the categorisation and Webroot score, but no WBRS ...

Although ... how does allowing a blocked category make sense, no matter what the web reputation is, though?

FYI: particular site in question is: www.kproxy.com (and it's sub servers -- server1. server2. server3. etc)

0 Helpful

jowolfer
Level 1
Level 1

‎12-17-2008 04:01 PM

Gawayne,

You can verify the WBRS score from the access logs. Here is a sample access log line:

Thu Dec 11 10:42:02 2008 22 10.1.1.29 TCP_MISS/200 66187 GET http://www.foxnews.com/ DOMAIN\user@AD DIRECT/www.foxnews.com text/html ALLOW_WBRS-WhiteList-DefaultRouting - News -

I've checked the score and the score is -0.70

The reason the WBRS score is relevant is that if an HTTPS site has a 6.0+ score it will be "passed through" the WSA. Any traffic that is passed through is essentially allowed through the WSA, since the stream will be encrypted between the client and the web server.

This behavior can be changed via the HTTPS WBRS policies.

I recommend opening up a support ticket, as this is probably going to require some further specific troubleshooting.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents