2 Replies Latest reply on Mar 19, 2012 5:05 AM by smalldog

    HTTP,HTTPS tunnel tool


      My company use MGW 7.0 to url filtering. But when some users use http tunnel tool (ex: fgate.exe, ultrasurf.exe ,... ), they can access to web sites which be block by policy.

      Please tell me solution for block the tunnel tools.


        • 1. Re: HTTP,HTTPS tunnel tool



          generally a tunnel through a proxy is indicated  as a CONNECT request, see 9.9 on  http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html.


          A rule in MWG for tunnels over port 80, which are VERY uncommen can look like:


          If Command.Name equals CONNECT(

               If URL.Port equals 80






          For ultrasurf and others, I suggest to use SSL Scanner. SSL Scanner will

          • block access to unwanted ssl ports
          • detect that a handshake can't be fullfilled
          • will block the traffic


          If you don't use SSL Scanner, URL Filtering is a solution. I just traced ultrasurf and found that it does CONNECT to IP rather than names.

          In an explicit proxy only deployment you could simply disallow CONNECTs to to IPs. In a transparent deployment ALL CONNECTS will be to IPs, so be careful there!!


          If Command.Name equals CONNECT(

               If URL.Port equals 443


               If URL matches regex(^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+





          Sample rule is attached.

          Important: You might need to whitelist several servers when blocking CONNECTs to IPs.






          Message was edited by: Michael Schneider on 19/08/2010 09:57:32 CEST
          1 of 1 people found this helpful
          • 2. Re: HTTP,HTTPS tunnel tool

            Hi All, i can not block ultrasurf, skype, bittorent with this rule. Im using transparent bridge mode. Any ideas? Thanks!