Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 1 subscriber
  • Views 7100 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[7.500] streaming and time managed access

RFCat_vk_01
Hi,
A new version of the http proxy doesn't block users.

The streaming content is open all the time, it is an unmanaged stream in the http proxy, so effectively it bypasses the ability of timed managed access to control it.

While you might say a different http profile will fix the problem, it doesn't because there isn't a place to put streaming. Blocking a web sites (by category) that allow streaming does not work.

Ian M


This thread was automatically locked due to age.
  • 0 in reply to BAlfson
    Hi Bob,
    I must review the way I express myself. The conclusion you came to is what I have been trying to point out for the last 2 months in this and the beta forum.

    Regards

    Ian M
  • 0 in reply to RFCat_vk_01
    Hi,
    I was totally wrong with my fix, it absolutely no affect.

    Time slot removed 0300-0859 on Saturday morning
    extract from the http log

    2009:11:21-06:18:53 fw1-on-house httpproxy[4331]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="657678734" time="12083315 ms" request="0xb0d0fb50" url="n48.stagevu.com/.../x-msvideo"
    2009:11:21-06:20:04 fw1-on-house httpproxy[4331]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="631581650" time="12802095 ms" request="0x8597b88" url="n43.stagevu.com/.../x-msvideo"

    2009:11:21-06:29:44 fw1-on-house httpproxy[4331]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="562054184" time="12877175 ms" request="0xb0d50790" url="n47.stagevu.com/.../x-msvideo"


    Ian M

    The default url filter list does not contain any reference to the streaming media.

    This is broken.
  • 0
    I set aside your list of instructions in Post #6 so that I can reproduce this, but I haven't done it yet.  I believe that you should be able to have two Filter Assignments in a Profile that both select the same group but are applied at different times.  For example:

    Filter Assignment "Work Hours"

    "Strict" Filter
    [8AM to 5PM]



    Filter Assignment "Lunch Time"

    "Moderate" Filter
    [11:15AM to 12:45PM]



    Profile "Business Day"

    Group: [blank or a specific group]
    Filter Asigments: (in order)

    Lunch Time
    Work Hours


    If I understand correctly, you say that the second Filter Assignment will not be considered and that the Profile will, instead, jump to the Fallback.

    I don't think that is the intended result.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,
    On reflection and investingating the logs in detail, I think the dual filter action works fine. The real issue is that the streaming audio/video is not affected by the application of a filter action or not.

    The streaming continues without even a timeslot, even just using the default fallback settings.

    I have blocked the particular url in the fallback settings. I am not sure this will work because the tick box says bypass proxy for audio streaming.

    So the real question is how do you manage audio/video streaming?

    Ian M
  • 0
    There is a category of 'Streaming Media' - does that not work?  I think the only bypass is of the AV scan, not of the URL filtering. Or, ????

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,
    you are correct about the AV scanniing for streaming audio and video.

    The streaming media is ticked to be blocked in the default filtering tab.

    Ian M
  • 0 in reply to RFCat_vk_01
    Hi Folks,
    blocking the video streaming site did not work.

    Filter action stops at 0159, but downloads continue for at least another hour, then he either goes to bed or something stops the download.

    Ian M
  • 0
    Interesting.  It almost sounds like a download has begun and it continues because no  further requests are needed from the download client.  What evidence do you see in the Content Filter log?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,
     a fresh set from today's http log.

    2009:11:26-02:56:21 fw1-on-house httpproxy[18524]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="163076824" time="3511421 ms" request="0xa5d65940" url="n44.stagevu.com/.../x-msvideo"
    2009:11:26-02:56:21 fw1-on-house httpproxy[18524]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="183199320" time="3486652 ms" request="0xa5d660a8" url="n56.stagevu.com/.../x-msvideo"
    2009:11:26-02:56:21 fw1-on-house httpproxy[18524]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="115645600" time="3584441 ms" request="0xa5d45890" url="n48.stagevu.com/.../x-msvideo"
    2009:11:26-02:56:21 fw1-on-house httpproxy[18524]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="172684400" time="3558384 ms" request="0xa5d0c108" url="n54.stagevu.com/.../x-msvideo"
    2009:11:26-02:56:21 fw1-on-house httpproxy[18524]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="243071424" time="3754786 ms" request="0xa5b4bb88" url="n38.stagevu.com/.../x-msvideo"
    2009:11:26-02:56:21 fw1-on-house httpproxy[18524]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="257135992" time="3789717 ms" request="0xa5b34550" url="n38.stagevu.com/.../x-msvideo"
    2009:11:26-02:56:21 fw1-on-house httpproxy[18524]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.251" user="" statuscode="200" cached="0" profile="REF_HHUJBdVDpe (medstream)" filteraction="REF_ktWGYfeMRa (medstream)" size="180346600" time="3731842 ms" request="0xa5b5f590" url="n59.stagevu.com/.../x-msvideo"

    The time stamp is 56 minutes after the filter action cut off. There are no further log entries for this user after these.

    Ian M
  • 0
    time="3511421 ms"
    time="3486652 ms" = 58 minutes 7 seconds
    time="3584441 ms"
    time="3558384 ms"
    time="3754786 ms"
    time="3789717 ms"
    time="3731842 ms"

    Looks like that confirms my guess, doesn't it?  I bet a cron job to restart the HTTP Proxy at 2AM would do the trick until he figures another way to outsmart you [;)]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA