1 2 Previous Next 10 Replies Latest reply on Mar 14, 2013 10:03 AM by maitane

    Https looks like doesn´t work


      Hello Everybody,


      Since update to, the safesearch looks like doesn´t work or doesn´t match with anything, when we surf in https.


      When we search "*****" or "puta" we can see the images.


      Does anybody know what´s happend?, why we can access in https to look everything.




      PD: Maybe we can not envrypt the query because the user is redirected to a session unencrypted HTTP, but how???


      El mensaje fue editado por: maitane on 2/04/12 6:28:57 CDT
        • 1. Re: Https looks like doesn´t work

          If the safe search works in HTTP but not in HTTPS, I guess it is a wrongly configured SSL Scanner.

          Can you filter any other SSL traffic?




          • 2. Re: Https looks like doesn´t work

            Hi Felix,


            The question is that we don´t want to inspect SSL traffic by now.
            We´re working with the safesearch function enabled and also we´ve created a especific rule set to prevent possible unwanted results on web searchers.
            This rule set is working fine in http but we´ve realised that if we use https://www.goole.com our rule set and the safe search neither work.


            Hablas español?

            Best regards.

            • 3. Re: Https looks like doesn´t work

              If you want to enforce Google safe search for https, then you must use the SSL scanner. The Web Gateway cannot modify the headers to force safe search unless it breaks into the SSL connection.

              • 4. Re: Https looks like doesn´t work

                Hi again,

                We still have not enabled SSL scanning.

                With all new features, is there now any way to perform it?

                • 5. Re: Https looks like doesn´t work



                  when SSL Scanner is not enabled MWG cannot see what you searched for. MWG will see that your browser talks to Google, not what is communicated. Therefore the safe search enforcer cannot apply.




                  • 6. Re: Https looks like doesn´t work

                    Ok Thanks,

                    And wich is the easiest way to enable the SSL scanning so it don´t looks like a "man in the middle"?

                    By now, we only want to scan those searchs.

                    • 7. Re: Https looks like doesn´t work



                      the problem is that SSL Scanner basically is a "man in the middle". So MWG will always have to replace the server certificate in order to look into the tunnel. If you have a root certificate enrolled to your browsers that MWG can use to sign server certificates users won't notice if the certificate was signed by MWG. If desired you can restrict the SSL inspection to search engines only, so that most of the SSL traffic remains untouched.


                      However you will have the root certificate installed on the browsers. Otherwise they will always see a certificate warning, since the server cert was changed by MWG.




                      • 8. Re: Https looks like doesn´t work

                        That´s it Andre, thanks very much for your reply.

                        Restrict the SSL inspection to search engines only could be a good way for us by now.

                        Which would be the correct criteria? URL.Categories contains Search Engines?

                        • 9. Re: Https looks like doesn´t work



                          basically yes, but we need to be a little careful here. The most important question it if you are running in a transparent mode. In transparent modes MWG may only see the destination IP address, rather than the host name that was accessed. In this case the categorization can cause problems. The category lookup performs reverse and forward DNS lookups to get a valid result, but it may not be as reliable as when running in explicit modes.


                          Also you have to ensure that your clients have a root certificate enrolled which MWG uses to sign server certificates. Otherwise your users will be prompted with a certificate warning. Actually there are customers who are happy with that, but I think its worth mentioning :-)


                          Maybe you restrict the SSL Scanner to the client IP of a test computer first of all, and play around with it. Then add the criteria for  Search Engines and check whether it behaves as desired. If all is good you could make the change for other users.




                          1 2 Previous Next