3 Replies Latest reply on Mar 14, 2017 10:36 PM by kbolt

    Youtube Getting Past MCP But Not Direct Proxy

    kbolt

      Hey guys, weird situation showed up tonight. I've deployed MCP to a group of machines with the latest policy which explicitly blocks Youtube access however some users still have access. So I hopped on to one of the user machine and tried to access youtube and lo and behold, it works in Google Chrome (56) but is blocked in IE11 and Firefox 51.

       

       

      I run over to Rule Trace to identify the source  of the mixup but the trace doesn't see anything about Youtube, MWG is completely unaware of the transaction.

       

      So i go to Internet Options and explicitly point the PC to the same MWG appliance but a separate port used for WPAD connections (9090 for MCP, 9095 for WPAD) and that blocks Youtube and I see it inside Rule Trace. What's going on?

       

       

      Then after I remove the Internet Options setting, MCP seems to now be able to see YouTube without a hithc. That's a weird hiccup and I'm concerned that it might happen a lot more. Has anyone ever experienced this?

       

      It seems this is happening due to a lack of CERTVERIFY commands at the SSL Scanner step but I'm not sure.

        • 1. Re: Youtube Getting Past MCP But Not Direct Proxy
          smasnizk

          Please keep in mind Chrome is a google product and youtube belongs as well to goole. When using Chrome and accessing youtube the browser can choose QUIC protocol for. This won't be supported by MWG or Other devices in your Corporate Network so the browser will make a fall back to usual SSL tunnel. When you're using MCP you most likely redirect 80 and 443 to a Proxy (Cloud or on Premise). It is possible to establish another connection directly to youtube using different port which isn't redirected to a proxy and not been blocked by you're client firewall.  You can create client TCP dump using wireshark to confirm this behavior and port that is used for. As you already identified before IE and Firefox most likely didn't have this implemented, QUIC is google developed protocol.

           

          -Sergej

          2 of 2 people found this helpful
          • 2. Re: Youtube Getting Past MCP But Not Direct Proxy
            kbolt

            Hello Sergej and thank you very much for that answer. It does make sense! I'll have to try running wireshark on one of the client machines to confirm this. I'll also look for ways to accurately identify the QUIC protocol.

             

            If this is the case, I may have to resort to either placing the MWG appliance logically between LAN and firewall so it scrutinizes all traffic OR go back to using WPAD, which has its own shortcomings.

            • 3. Re: Youtube Getting Past MCP But Not Direct Proxy
              kbolt

              You hit the nail on the head, Sergej! I'll talk to network admin about blocking outgoing UDP on ports 80 and 443. Thanks again!
              QUIC_Proto.JPG