2 Replies Latest reply on Mar 19, 2012 5:05 AM by smalldog

    HTTP,HTTPS tunnel tool

      Dear,

      My company use MGW 7.0 to url filtering. But when some users use http tunnel tool (ex: fgate.exe, ultrasurf.exe ,... ), they can access to web sites which be block by policy.

      Please tell me solution for block the tunnel tools.

      Thanks

        • 1. Re: HTTP,HTTPS tunnel tool
          michael_schneider

          Hi,

           

          generally a tunnel through a proxy is indicated  as a CONNECT request, see 9.9 on  http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html.

           

          A rule in MWG for tunnels over port 80, which are VERY uncommen can look like:

           

          If Command.Name equals CONNECT(

               If URL.Port equals 80

          )

          then

          BLOCK

           

           

          For ultrasurf and others, I suggest to use SSL Scanner. SSL Scanner will

          • block access to unwanted ssl ports
          • detect that a handshake can't be fullfilled
          • will block the traffic

           

          If you don't use SSL Scanner, URL Filtering is a solution. I just traced ultrasurf and found that it does CONNECT to IP rather than names.

          In an explicit proxy only deployment you could simply disallow CONNECTs to to IPs. In a transparent deployment ALL CONNECTS will be to IPs, so be careful there!!

           

          If Command.Name equals CONNECT(

               If URL.Port equals 443

               AND

               If URL matches regex(^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

          )

          then

          BLOCK

           

          Sample rule is attached.

          Important: You might need to whitelist several servers when blocking CONNECTs to IPs.

           

          best,

          Michael

           

           

          Message was edited by: Michael Schneider on 19/08/2010 09:57:32 CEST
          1 of 1 people found this helpful
          • 2. Re: HTTP,HTTPS tunnel tool
            smalldog

            Hi All, i can not block ultrasurf, skype, bittorent with this rule. Im using transparent bridge mode. Any ideas? Thanks!