I have a ISA enterprise integrated with Websense Web Filtering Solution.
We need to block (Outbound) all SSL VPN traffic initiated across the proxy, but we need to allow normal https site. In other words, we need to block all the public SSL Sites( Citrix SSL VPN or Portal Published via IAG / UAG).
The only option available in ISA as of now is to create a Domain Name Set and add all the SSL VPN sites and these sites will be accessed directly. However, i donít want to go with option as we donít have the exact SSL VPN Urls. There could be around 1000's URL's.
In Websense, we can do protocol filtering for https. Blocking https in Websense will block all the SSL VPN traffic as well as https traffic.
Does ISa has the intelligence to Block SSL VPN traffic and allow only normal https?
From: Taylorville, IL
You're treating it like SSL-VPN is something special,...some "new & unique" kind of traffic and that the other is "normal SSL". It is not. SSL-VPN is not even "traffic" to begin with,...SSL is the traffic,...VPN is just what you do with it.
So it is just SSL (HTTPS),...that is all it is,...there is only one kind of SSL,...and there is no way to distinguish it from any other SSL traffic.
URLs? URLs are just simply not even part of the conversation and do not,..can not,...and will never,....be applied to SSL traffic because the URL portion of the string is encrypted in the SSL packets and cannot be read by the ISA,..hence no decisions can be based on its contents. The URL is the part after the ".com",...the Domain Name is the part before and including the ".com". They are two entirely different things. Domain Name Sets are for Domain Names and URL Sets are for URLs. You cannot use URL Sets with HTTPS,...you can only use Address Sets, Computer Sets, and Domain Name Sets.
So the bottom line,...blocking by Domain Name (Domain Name Set) or by IP# (Address Set) is your only real option.