Page 1 of 4 123 ... LastLast
Results 1 to 10 of 33
  1. #1
    Untangler
    Join Date
    Mar 2015
    Posts
    78

    Default Web Caching Problem

    Hello there..

    I would like to ask for your insights regarding my problem..

    The protocol in our company is to allow / block a gmail on specific time. Let's say that gmail is allowed at 6:00 - 6:59 am only and will be block at 7:00 am. Of course, I already did this using policy manger.

    The problem is that once I access gmail during allowed hour (6:00 - 6:59), I can still access it by the time 7:00 onwards which is supposed to be block.

    I blocked gmail using web filter. I also add an entry on web bypass cache.

    I tried installing different browsers and access gmail just to make sure that it's not browser problem.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,710

    Default

    Nothing to do with Web Cache.

    My guess is that since Gmail is accessed via HTTPS (encrypted), it may require HTTPS Inspector to reliably block it. Gmail web application also seems to keep a UDP session active which will not switch to the new policy rack until the session ends. I would try using HTTPS Inspector first.

    http://wiki.untangle.com/index.php/HTTPS_Inspector
    Last edited by jcoffin; 09-05-2015 at 08:20 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Mar 2015
    Posts
    78

    Default

    Quote Originally Posted by jcoffin View Post
    Nothing to do with Web Cache.

    My guess is that since Gmail is accessed via HTTPS (encrypted), it may require HTTPS Inspector to reliably block it. Gmail web application also seems to keep a UDP session active which will not switch to the new policy rack until the session ends. I would try using HTTPS Inspector first.

    http://wiki.untangle.com/index.php/HTTPS_Inspector
    I have Default Rack and Open Gmail Rack.

    Should I implement the rules on https inspector on the default rack or gmail rack?

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,710

    Default

    Both would need HTTPS Inspector. I imagine that Open Gmail Rack is a child of the Default rule. In that case if HTTPS inspector is in the default rack, then it is automatically included in the child rack of Open Gmail Rack.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler
    Join Date
    Mar 2015
    Posts
    78

    Default

    Quote Originally Posted by jcoffin View Post
    Both would need HTTPS Inspector. I imagine that Open Gmail Rack is a child of the Default rule. In that case if HTTPS inspector is in the default rack, then it is automatically included in the child rack of Open Gmail Rack.
    Yup. Defaul Rack is parent of Open Gmail Rack..

    Gonna test this around 2 days since I'm on vacation and I'll get back for results.

    Big thanks!

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,710

    Default

    What, people are taking vacation?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangler
    Join Date
    Mar 2015
    Posts
    78

    Default

    Quote Originally Posted by jcoffin View Post
    What, people are taking vacation?
    I'm on vacation.

    So my rules on https inspector would be https certificate subject is *gmail*

    I'm not really knowledgeable on UTM so kindly bear with me

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Quote Originally Posted by jcoffin View Post
    What, people are taking vacation?
    I'm with you, aren't 3 day weekends mandatory overtime for all in IT?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    I would not use HTTPS Inspector.
    If you goal is just to block gmail/google, it will likely be fine with just SNI which will work fine unless you are using windows XP, but you won't get pretty block pages.

    I would troubleshoot why you can access gmail after the time you specified.
    Are the sessions going to the correct rack? (Use the session viewer)
    Are the old sessions still open? (Use the session viewer)
    Is Web Filter doing the right thing? (Use the event log)

    Every few minutes the existing sessions are checked against the policy manager rules.
    If the session would now be on a different rack, it resets the session. This is so that long-lived sessions already assigned to a rack do not forever stay open when the "policy" has changed.
    Last edited by dmorris; 09-07-2015 at 02:03 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangler
    Join Date
    Mar 2015
    Posts
    78

    Default

    Quote Originally Posted by dmorris View Post
    I would not use HTTPS Inspector.
    If you goal is just to block gmail/google, it will likely be fine with just SNI which will work fine unless you are using windows XP, but you won't get pretty block pages.

    I would troubleshoot why you can access gmail after the time you specified.
    Are the sessions going to the correct rack? (Use the session viewer)
    Are the old sessions still open? (Use the session viewer)
    Is Web Filter doing the right thing? (Use the event log)

    Every few minutes the existing sessions are checked against the policy manager rules.
    If the session would now be on a different rack, it resets the session. This is so that long-lived sessions already assigned to a rack do not forever stay open when the "policy" has changed.
    For Web Filter..

    Gmail is blocked, when I access gmail on a workstation, it shows on event log that block = true

    I try to allow gmail on purpose in web filter and access it on workstations, it also shows on event log that block = false

    Once again, I blocked gmail in web filter and access gmail on a workstations, this time it didn't show on event log and I can access it.


    For Session Viewers..

    I don't see any information for my Open Gmail rack

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2