+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Block Facebook HTTPS in Technical; Hi We currently have EXA networks as our ISP and they do our filtering. We don't have a proxy set ...
  1. #1

    Join Date
    Apr 2007
    Location
    York
    Posts
    551
    Thank Post
    9
    Thanked 4 Times in 4 Posts
    Rep Power
    19

    Block Facebook HTTPS

    Hi
    We currently have EXA networks as our ISP and they do our filtering. We don't have a proxy set in IE as the filtering is at ISP end.

    Works fine until ...

    ... the kids have realised that you can change HTTP to HTTPS://www.facebook.com and it loads fine.

    EXA networks say block HTTPS (which isn't possible as finance use it for Inland revenue etc) or change our network so you have 2 subnets - staff and student and then block HTTPS on the student subnet only.

    Is there an alternative way ? A cheap software proxy that allows all traffic apart from to Facebook ? Smoothwall ?

    Thanks in advance

  2. #2

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    45
    a quick a dirty block is to change HOSTS files via gpp

  3. #3

    Join Date
    Apr 2007
    Location
    York
    Posts
    551
    Thank Post
    9
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    Thanks could you elaborate a bit more.

  4. #4

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    45
    on each client there is a HOSTS file at: C:\windows\system32\drivers\etc\

    in this file you can edit this file to redirect IANA — Example domains to anything IP you want like googles ip

  5. #5

    Join Date
    Apr 2007
    Location
    York
    Posts
    551
    Thank Post
    9
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    Top bombing - sounds perfect.


    Can you edit the hosts file in GP or is it a reg edit job then publish that via GP.

  6. #6

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    45
    I just do it for worst case scenario

    for example I put a edited host file on my apps server, share it and then I do a 'replace' action at gpp at user configuration

  7. #7

    Join Date
    Jul 2009
    Posts
    539
    Thank Post
    43
    Thanked 100 Times in 85 Posts
    Rep Power
    67
    You could also block facebook.com by modifying the DNS records on your server (eg adding an A record which points facebook.com to 127.0.0.1).

    As far as I know, only the commercial versions of smoothwall can intercept/block HTTPS.

  8. Thanks to computer_expert from:

    karldenton (3rd October 2011)

  9. #8


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,461
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Blocking https entirely is using a sledgehammer to crack a nut. I don't remember what exa use to filter, but it should be able to do this ok, I might forgive if it is transparent filtering and you use xp, but otherwise... Grr.

    A word of caution on host file jiggery poker. If you use a proxy the dns lookup is done there so host won't work. Also, if students can hit facebook over https, then it is woefully easy to access other secure sites that might cause problems, from secure Google images to secure proxy anonymizers.

    The easiest way to control https by domain is to use a traditional proxy. You could perhaps run up squid with an https whitelist as a cheap and not very cheerful alternative. Happy to discuss further options if you want to explain how exa are filtering, either here or by phone /email, tho I am out of the office for a day or so now, I'm still vaguely in touch!

  10. Thanks to tom_newton from:

    karldenton (3rd October 2011)

  11. #9

    Join Date
    Apr 2007
    Location
    York
    Posts
    551
    Thank Post
    9
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    @computer expert. Where abouts in DNS ca I add this. When I've looked it thinks I'm doing it internally. IE facebook.com.stjohns.local !
    Also will this block HTTPS of facebook too ?
    Thanks

    Update: I've added a secondary dns zone called facebook.com and pointed it to an ip on our server but there is an error and it says it can't transfer the zone from the master server -- we only have 1 DNS server by the way
    Last edited by karldenton; 28th September 2011 at 08:56 AM.

  12. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,780 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594
    If they don't block HTTPS (not unheard of) can you not force, through your proxy settings, all web traffic via their proxy or is it transparent? I was pretty sure that they had a specified proxy you can set your machines to.

    If you can't control that I would suggest you run something internally ... either a firewall so that you limit the machine which can get straight out, a filtering solution or a combination ... and yes, I know that will be at extra cost.

  13. #11
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,762
    Thank Post
    897
    Thanked 416 Times in 350 Posts
    Blog Entries
    12
    Rep Power
    86
    Our Sophos Web Appliance does this automatically. Very cool!

    Our old cachepilot has the same problems but upgrading to the sophos box fixed it.

  14. #12

    Join Date
    Jul 2009
    Posts
    539
    Thank Post
    43
    Thanked 100 Times in 85 Posts
    Rep Power
    67
    Quote Originally Posted by karldenton View Post
    @computer expert. Where abouts in DNS ca I add this. When I've looked it thinks I'm doing it internally. IE facebook.com.stjohns.local !
    Also will this block HTTPS of facebook too ?
    Thanks

    Update: I've added a secondary dns zone called facebook.com and pointed it to an ip on our server but there is an error and it says it can't transfer the zone from the master server -- we only have 1 DNS server by the way
    I've just tried this on a server 2008 machine and it worked for me:
    You can do this in DNS. Set up a Forward Lookup Zone for the domain, IE. facebook.com.
    Create an Alias (CNAME) in the zone that points to the destination server you want to redirect them to.
    Creat a Host (A) record that point them to the destination server's IP address and use * for the Name.

    This will redirect all *.facebook.com and the www.facebook.com and http://facebook.com queries. It doesn't redirect something like facebook.com/whatever so the user will get a "cannot display a webpage" error for those addresses.
    Thanks to DThornton123 from this page . However the method can be bypassed fairly easily though, so I'd think of this as a temporary solution. It will block both the http and secure sites for facebook (as if you set the destination IP as 127.0.0.1 (localhost), the machine will try to connect to it self and present the user with a site not found error or a 404 page if the machine has a web server installed) for all computers that use that DNS server to perform lookups.

  15. Thanks to computer_expert from:

    karldenton (3rd October 2011)

  16. #13

    Join Date
    Apr 2007
    Location
    York
    Posts
    551
    Thank Post
    9
    Thanked 4 Times in 4 Posts
    Rep Power
    19
    Thanks for this everyone.
    Got round it by adding the DNS record in Server 2003 and it works fine.

  17. #14
    chilli6971's Avatar
    Join Date
    Aug 2012
    Location
    York
    Posts
    5
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi you will be pleased to know that Exa do now provide the means to filter HTTPS requests. They have a product called SurfProtect which can be used by either customers with an EXA internet connection or as a service for non exa connections too.

    They have documents here - Support Documentation

SHARE:
+ Post New Thread

Similar Threads

  1. Facebook offer https service
    By Domino in forum General Chat
    Replies: 4
    Last Post: 27th January 2011, 12:47 PM
  2. block hotmail?
    By adamyoung in forum Windows
    Replies: 32
    Last Post: 16th March 2006, 10:00 AM
  3. New centre block
    By Dos_Box in forum General EduGeek News/Announcements
    Replies: 8
    Last Post: 11th October 2005, 02:45 PM
  4. Allow staff to see a website but block students
    By adamyoung in forum How do you do....it?
    Replies: 9
    Last Post: 7th October 2005, 08:58 AM
  5. Replies: 0
    Last Post: 26th August 2005, 01:29 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •