Disallow all http/https traffic except through the proxy?

Hi,

you will need to workout which protocols you are allowing through the proxy and add them to your proxy rule and then follow that by a firewall rule that blocks/drops/rejects all other protocols.

You will need to think this through very throughly because of your mail, ftp and maybe remote access. Also what is your company policy on facebook, twitter etc?

Ian

As for policy, I’m strictly logging right now aside from some of the obvious security-related stuff.

My question is this: it appears that the web proxy follows the firewall rules. So if I allow a host into the web proxy and then block it from going outbound, would the web proxy follow that rule? I clearly need to do more testing on this.

Hi Mark,

the web proxy is part of your firewall rule. You can stop people accessing the rule by using the check user function in the rule.

You can setup web proxy firewall rules based on different user groups, different application rules and different web (url) rules. Also each firewall rule can have a different IPS rule applied.

Ian

Here's the problem: When I block HTTP and SSL, it blocks it even though the web proxy.  I want to block it only if a client attempts to use those directly.

Again, here's what I'm trying to accomplish here:  I want all HTTP/HTTPS traffic blocked unless it is through the web proxy, and I want to do it using deep packet inspection so I don't have to worry about users bypassing it on non-standard ports.

Rule at the top is setup for proxy using the proxy configuration you have set in your login script. Your proxy rule has scan http/s enabled so the users also need a certificate installed otherwise no packet inspection and no internet access.

Next rule bocks http/s and you also tick block non standard ssl.

Ian

Can you give me an example of the top rule for this? I'm not sure how to identify that a user is using the proxy.

Hi Mark,

this is one my my firewall rules. It is not the top one because I mail, ntp, dns and VoIP rules above it. Although it is the top rule for general access.

Ian

Got it.  So you're allowing HTTP and HTTPS by port.  I don't want to do this... I want to use the application filter to block all HTTP and SSL connections unless they're going through the web proxy.  When I attempt this, the web proxy seems to follow the top rule and blocks access too.  That's the behavior I'm trying to avoid.

Hi Mark,

https and ssl are not applications but protocols that used by applications. To use the direct proxy you will need to ensure that the use devices are configured for port 3128 only for web access. All my testing tells me that http/s go through the the transparent proxy function, not the standard proxy which you are trying to use.

You will need some sort of proxy pac to configure your users when they are on your network.

Ian

Right. I have a proxy pac and it’s working correctly. But again, in a firewall rule, how do I differentiate between users accessing the web through the proxy versus users accessing the web directly?