Results 1 to 4 of 4
  1. #1
    Newbie
    Join Date
    Jan 2021
    Posts
    3

    Default SSL Inspector/Web filtering is not working properly on Untangle Cloud Appliance

    Hello,

    A couple of years ago I set up a physical Untangle appliance (version 14.x) in which I was able to set up the SSL Inspector and Web Filtering without issues.

    A few days ago I create a new instance of Untangle (version 16.2.0) and this time was in the Cloud. However, I just can't make the configuration work.

    I was able to configure the OpenVPN server (IPSec didn't want to work ) and it worked.

    Before enabling the Web Filtering and SSL Inspector, I created the Certificate that matches my domain, and then I installed the root certificate in the corresponding machines, and actually when I verify the certificate my domain appears in the "Issued by" section.


    I wanted to "Restrict Google applications", block porn sites and some social media services like Facebook.

    However, I'm not being able to succeed in any of the above but blocking Facebook.

    • For the Google applications, I configured the desired domains I wanted to allow for Google applications. Then I tried with different configurations found in the wiki and in the forum, none of them worked, I'm was able to login with personal Gmail accounts. Those configurations include enabling and disabling the "Block QUIC", "Process HTTPS traffic by SNI", etc.




    • For the porn sites, I checked the "block" checkbox in the categories and when I tested some porn sites I was able to access all of them. Later, I tried manually setting up "pornhub.com" in order to check if at least that site was blocked, and unfortunately, nope.





    • For blocking Facebook the only way I was able to "make it work" was by following these steps: How-do-I-block-Facebook-YouTube

      I quoted the "make it work" because when I browse to facebook.com, instead of redirecting me to the custom blocking page I configured, the browser just shows "This site can't be reached ".



    • Even though it is not recommended to enable the "Inspect all traffic" option, enabling it was the only way to actually be able to navigate to different sites. I believe that maybe is something to do with the TLS 1.3 option. I read, in other posts, that this option is causing some issues. Is that correct?




    I expended few hours in the forum and in the wiki trying to make it work, no luck. I'm a little frustrated because the first configuration I ever tried (a few years ago) all worked flawlessly and now with this new setup, I'm not able to make anything work.

    Do you guys have any idea?

    Thanks a lot!
    Attached Images Attached Images

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,628

    Default

    Turn off SNI if using SSL Inspection.

    https://support.untangle.com/hc/en-u...Option-Working
    Last edited by jcoffin; 01-31-2021 at 06:37 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Jan 2021
    Posts
    3

    Default

    Hello, @jcoffin

    I'll try it and come back with the results.

    Thanks!

  4. #4
    Newbie
    Join Date
    Jan 2021
    Posts
    3

    Default

    Hello everyone,

    I made further tests with the changes that jcoffin suggested, and the results remained the same: No blocking, Gmail consumers apps remain accessible, etc.

    Another thing that I noticed is that, according to the Untangle Wiki, enabling the option of "Inspect all traffic" is not the best way to go. However, this was the only way I made it possible to load websites, otherwise, an error message was received.

    The same happened with the preset rules, for instance: dropbox, by default it is "Ignore", but only when I changed it to "Inspect" the page did actually load.

    The rules and configuration are attached in the images section.

    I only was able to "block" a porn site (pornhub), just because I found that name in the "Applications Control" app, but there are tons of adult content sites, making it impossible to add one by one in the "Applications Control" app.

    I'll try to set up a physical appliance with two NICs in order to compare if I obtain the same results.

    20210201_Untangle_SSLinspector_01.jpg

    20210201_Untangle_SSLinspector_02.jpg

    20210201_Untangle_SSLinspector_03.jpg

    20210201_Untangle_SSLinspector_04.jpg

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2