I've found a solution that seems to be showing success (so far) on UTM-9.194 in transparent mode (great for BYOD and non-SSO clients) with blocking UltraSurf 13.04, however, with likely negative impacts.
Web Filtering, Global:
HTTPS (SSL) Traffic = "URL filtering only"
Operation mode = "Transparent Mode"
Default Authentication = "None"
Web Filtering, Policies, Default content filter action:
Websites, Block these websites:
Name = "ByIP"
Match URLs based on = "Regular Expression"
Regular Expression1 = "\d+(\.\d+){3}"
"URL filtering only" allows SNI (Server Name Indication) inspection without foring the appliance certificate to clients. Proper HTTPS should _always_ use hostnames to ensure proper trust. Older clients may not fill the SNI.
PLEASE NOTE: this is a broad hammer approach and LIKELY WILL lead to blocking what your organization might otherwise consider legitimate traffic that will require an exception to override this block (remember: skips, exceptions, blocked site list, allowed site list, categories).
-- EDIT:
This will likely block all transparent traffic from non-SNI clients (ie Microsoft Internet Explorer on Windows XP/Server 2003, built-in browser in Android older than 3.0) and traffic to a server where an IP address rather than a domain name is used. This approach shouldn't block standard proxied traffic from these clients.
Guest User!
You are not Sophos Staff.