Real-World Usage Scenarios for SSL

Recommended Prior Reading:

Real-World Usage Scenarios

Now that you have a better understanding of SSL, let’s bring up some real-world usage scenarios and how they would be implemented with the Lightspeed Systems Web Filter. It is possible you may have already encountered some of these situations or this is the first time you’ve heard of them. In either case, learning from real-world scenarios should help bring to light the importance of handling SSL traffic in different situations.

SCENARIO 1 – “Basic Blocking of SSL Traffic by Category”

Problem:

You have installed, configured, and are now using the Lightspeed Web Filter in your environment. You need to ensure users are unable to access blocked content by establishing an encrypted (HTTPS) session.

Solution:

Simply enable the Decode SSL Certificates option under Web Filter > General. This will decode the domain from the website’s SSL certificate or, utilizing TLS, will analyze the SNI response from the web server. A category lookup is then performed on the domain, and if in a blocked category, the Rocket will not allow the SSL tunnel to form.

Things to Consider:

    • Prevents users from circumventing the content filter using HTTPS.
    • Reporting will show what domains have been accessed.
    • Private user information remains confidential (banking info, etc.).
    • Blocking determined by the domain listed in the SSL certificate or the SNI response from the web server.
    • Since you’re not decrypting traffic to Google and YouTube, it is recommended that Enforce Google Safe Search be enabled to return safe search results.

Web Filter > General > Enforce Google Safe Search

SCENARIO 2 – “Selective Decryption: Yahoo Images & YouTube”

Problem:

You have been using the SSL Decoding option from Scenario 1 and have decided you need more granular control over several websites. Specifically, you want to redirect Yahoo Image Search to Google Image Search and want to know what YouTube videos are being watched.

Solution:

In this situation, you will leave the “Decode SSL Certificates” option enabled and have chosen to use a Proxy Auto Configuration (PAC) file to send the selected traffic to the Proxy Server. The SSL Decoder will continue to analyze and deny access to blocked domains over SSL. The Proxy Server will decrypt the traffic it is sent, allowing for more granular control and reporting of that traffic.

Note: Before Implementing these settings you should discuss this with the Lightspeed Systems Support or Engineering team to ensure that your Lightspeed Rocket appliance(s) are properly sized for this configuration.

What You’ll Need:

  • 1. Enable the Proxy Server role on the Rocket.
    Administration > Server Roles > Proxy Server
  • 2. Enable “Decrypt SSL traffic” within the Proxy Server module.
    Web Filter > Proxy Server > Decrypt SSL traffic
  • 3. Deploy the Trusted Man in the Middle SSL certificate to client workstations.
    Certificate Download Links: Administration > SSL Certificate
  • 4. Create a PAC file then upload it to the Rocket.
    Web Filter > Proxy Server > PAC Files
    Community KB: Create PAC Files to Proxy Specified Domains
  • 5. Deploy the PAC file to client workstations.
    Community KB: Deploying a PAC file with Microsoft Group Policy

Things to Consider:

  • Reporting will show full URL detail of the domains sent to the Proxy Server including the specific YouTube video that was viewed.
  • Ability to redirect users from images.search.yahoo.com to images.google.com while allowing access to other Yahoo services.
  • Since only select traffic is being sent to the Proxy Server for decryption, the Rocket requires fewer resources to process the decryption.

SCENARIO 3 – “Using the Lightspeed Systems Campus Library”

Problem:

This scenario assumes you are using the SSL decoding option from Scenario 1 and performing selective decryption of websites from Scenario 2. You want to allow teachers to use YouTube but need to ensure only educational video content is presented to students.

Solution:

Employ the Lightspeed Systems Campus Library. By combining SSL decryption of HTTPS-enabled media sites along with the Campus Library, students may access education-oriented video without the need to allow access to top-level sites like YouTube or Vimeo.

What You’ll Need:

  • 1. First, contact Lightspeed Support to enable the Campus Library.
  • 2. Next, enter a fully qualified hostname to access the library.
    Administration > Campus Library > Hostname
  • 3. From the dropdown list, select the maximum grade level content allowed.
  • 4. Finally, create an ‘A’ record in your internal DNS to point this hostname to the IP of the Rocket management interface.
  • 5. You can now access the Campus Library through the hostname you created, (e.g. http://campuslibrary.mydomain.org).
    Community Manual: Using the Campus Library.

Things to Consider:

  • When utilizing the Campus Library, direct access to YouTube can be disabled.
  • Teachers may login to the Teacher Dashboard to add content to the library.
  • Additional domains may need to be added to your PAC file (e.g. vimeo.com).

SCENARIO 4 – “Restrict Gmail Access to the District’s GAFE Domain”

Problem:

Your district uses Google Apps for Education extensively and has allowed students to login to their GAFE E-Mail from school. Unfortunately, students have been accessing their personal Gmail as well. You would like to restrict Gmail access to only the District’s approved GAFE domain from inside the district.

Solution:

You can create Google Apps Domain lists to limit access to Google Apps tied to specific domains. For example, if you set the restriction to yourschool.edu then users would only be able to use Google apps tied to yourname@yourschool.edu Google content, not yourname@gmail.com content.

What You’ll Need:

  • 1. Follow the steps in Scenario 2 to enable SSL Decryption.
  • 2. When building your PAC file, include an entry for google.com.
  • 3. Enter your Google Apps domain into the Proxy Server module.
    Web Filter > Proxy Server > + Add Google Apps Domain

SSL

  • 4. Repeat step 3 to add any additional domains (e.g. student domains).

Things to Consider:

  • You must enable the proxy option “Decrypt SSL traffic” to use this feature.
  • You cannot have google.com defined in the SSL Decryption Exclusions.
  • If using Chromebooks, add the following domains to the SSL Decryption Exclusion list: https://support.google.com/chrome/a/answer/3504942

SCENARIO 5 – “Block & Redirect Pages Within HTTPS”

Problem:

Using the solution from Scenario 1, you have prevented access to blocked content trying to establish encrypted (HTTPS) sessions. You would like to redirect these sessions to a block page or to a different website.

Solution:

By design, SSL is fully encrypted. This encryption detects any attempt to decrypt this traffic between the user machine and the server and if any is found it will shutdown the connection. In order to insert a block or redirect page, it is necessary to utilize a Trusted Man in the Middle proxy.

What You’ll Need:

  • 1. Follow the steps in Scenario 2 to enable SSL decryption.
  • 2. When building your PAC file, include any entries for domains you would like to include block pages or redirects on.
  • 3. Instead of dropping the SSL connection, the Rocket will display the desired block page or will redirect the traffic to another website.

Community KB: Custom Access Pages
Community KB: Redirected Categories

Things to Consider:

  • Use SSL decryption only for regularly-accessed, blocked domains.
  • By continuing to use selective SSL decryption, private user information remains confidential (banking info, etc.).

SCENARIO 6 – “Google & Bing Search Queries

Problem:

You have been enforcing Google Safe Search by following the solution in Scenario 1; however, you would like to go a step further and see what students are searching for on Google in order to utilize Blocked Search Keywords.

Solution:

While Google Safe Search provides safe, filtered results, the session between the user and Google is still encrypted, thus, their search keywords are also encrypted.

What You’ll Need:

  • 1. Follow the steps in Scenario 4 to enable SSL decryption for google.com.
  • 2. Follow the steps on the Community Site to create block search keyword lists.
    Web Filter > Block Search Keywords > New List
    Community KB: Block Search Keywords
  • 3. RECOMMENDED: To provide an even higher level of security we recommend implementing the use of Bing for the Classroom: www.bing.com/classroom. This option from Bing will allow full safe search functionality to be incorporated based on the IP address of your organization. Since this is an SSL site, bing.com should also be added to your PAC file for decryption.

Things to Consider:

    • You will now be able to see all search queries sent to Google and Bing for the Classroom as well as utilize blocked search keyword lists more effectively.
    • The Image thumbnail Filter may be enabled for added protection against blocked and unwanted content.

Web Filter > Policy Management > Rule Sets > Select your rule set
Enable “Filter Image search thumbnails (Google and Bing)”

  • If using Chromebooks, add the following domains to the SSL Decryption Exclusion list: https://support.google.com/chrome/a/answer/3504942