Jumat, 27 April 2012

Belajar Bluecoat - Blocking Google Talk

While ProxySG does not yet have a Google Talk (using the "jabber" protocol) specific proxy, it is possible to block Google-Talk access on both the native client and Gmail interface. 

First enabling a HTTPS-proxy service on port 5222 and arrange for that traffic to reach the ProxySG. If this is an inline deployment, nothing special needs to be done.

Second configure policy to SSL-intercept and deny all HTTPS traffic to "Chat" and "Search/Engines" categories. While the chat category is obvious, the Search category is also necessary to address G-Talks attempt to connect to any Google owned IP. The chance of over-blocking HTTPS search sites is small (it's unclear why a web-search site would be HTTPS), but could be addressed with a more complex policy.

Example policy for step two.
    server.certificate.hostname.category=("Chat/Instant Messaging", "Search Engines/Portals") ssl.forward_proxy(https)
Deploying a certificate to client computers is not necessary as the goal is to deny this traffic.

Finally configure denials for port 5222 and the Google-Talk client. The gmail chat interface uses AJAX calls to "/mail/channel/bind" to log a user into G-Talk and retrieve the login status of friends.

Tidak ada komentar:

Posting Komentar