Screen OS

Hello all,

I have ISG-1000, SSG-140.

Using the SSG-140, I'd like to block HTTPS URLs such as Facebook, Google and so on.

But, instead of HTTP URLs, whole https URLs were not blocked.

So, I searched this issues, and found two-> 

One is,

http://forums.juniper.net/t5/SRX-Services-Gateway/How-can-I-block-HTTPS-website-on-juniper-srx-100/m-p/106530

In its URL, following sentence appeared,

1/  DNS doctoring (make your SRX return 127.0.0.1 for *.facebook.com) - SRX must be inline for DNS requests-replies

This will block HTTP and HTTPS acccess to Facebook  but I guess you don't need HTTP acccess to Facebook either?

2/ write an IDP policy which matches on SSL Client Hello extension "server_name" and sends a TCP RST if this extension contains "*.facebook.com"

3/ most crude method - write a prefix-list which contains Facebook prefixes (below is from whois query I executed few mins ago)

Actually, I don't know number 1, 2 method correctly.

Especially, I am wondering number 2's propose.

SSG-140 does not support IDP, but ISG-1000 does support IDP.

So using the ISG-1000, can I block HTTPS URLs?

Second is,

The method I should do is using the websense application.

As I searched, websense is a software company, right?

So, should I buy a websense application...?

Please contact me expert.

Thanks.

You could use WebSense redirect to block HTTPS requests.  From the 6.2 release notes:

Redirect Web Filtering of HTTPS Traffic - ScreenOS 6.2.0 includes the ability to
redirect and filter HTTPS traffic using Websense URL filtering. Prior releases only
allowed redirect of HTTP traffic. As with the earlier HTTP-only implementation, this
enhancement allows the device to intercept the first HTTPS request for each new TCP
connection and then sends a request to Websense to determine whether or not the
request should be blocked.

Then,, following the 6.2 release notes, there's no way except for using the websense??

...actually we have no conditions to buy it.

So, can't I block HTTPS URLs?? right ;(

Regards,