Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 5489 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unblock Subdomain

DMR188

Hello, this might be pretty routine, but I can't figure out how.  How do you unblock a subdomain?  For example, I want to block Youtube.com for a group of users, but I need to allow, youtube.com/something .  (Which is an embedded youtube video on a site) How would you go about doing that.

 

Thanks



This thread was automatically locked due to age.
  • 0

    1) Create a Web Policy rule that blocks Youtube (eg block category Video Hosting).


    2) Create an exception matching the specific URL patterns you want to allow (eg the video url and any other urls it depends on).  This uses regex.

    -or-

    2) Create a Category and put the URL patterns you want to allow in the "keyword" field.  This is straight text match, not regex.
    3) Create a Web Policy rule that is above the block, that allows the new category.


    Note: Custom Categories can be based on "domain" which is domain-name only, or it can be based on "keyword" which is any part of the URL.  The domain is much more efficient.  The keyword is more powerful.  

  • 0 in reply to Michael Dunn

    Thanks for the info!  Unfortunately I couldn't get either to work.

     

    They are not using decrypt and scan, so I don't know if the Exception would even do anything, but I tried putting in this:

     

    ^([A-Za-z0-9.-]*\.)?youtube\.com\.watch?v=VIpACJRnZZE/

     

    It was still being blocked.

     

    So then I did as you suggested and created a new category called "YouTube Override" and tried different things, but obviously the keyword doesn't allow for much.  What I tried doing was just putting in that last part, the VIpACJRnZZE as the keyword.  

     

    I feel i'm close, but obviously missing something.

     

    Thanks

  • 0 in reply to DMR188

    You need to be running Decrypt and Scan for it to work.  The underlying issue is:

    Youtube uses HTTPS to encrypt traffic to/from the site.  If you want granular control over traffic to/from the site the appliances need to have access to the data and URLs which means you need to have HTTPS decryption.  The appliance cannot interfere on encrypted traffic.

    The other option, which still requires HTTPS Decrypt, is to use a domain managed Google Apps (now "G Suite").  This is how schools operate.
    See here for more details:
    support.google.com/.../6214622

  • 0 in reply to Michael Dunn

    Ahhhh, Ok, that makes more sense.  So maybe what I can try is just to enable Decrypt and Scan and for that particular rule and deploy the certificate to those devices.  I think I have a decent grasp on that now.  Thanks a bunch for the info and I'll let you know if for some reason that doesn't work.

     

    Thanks