Scope:
All Barracuda Web Filters, firmware versions 3.3 and above.
Answer:
As of firmware version 3.3, the Barracuda Web Filter can filter HTTPS in addition to regular HTTP traffic with no additional certificates or other configuration. HTTP and HTTPS traffic can be detected by content category filters, domain filters, and URL pattern blacklists, as well as for blocking exceptions for all Web traffic, content category filters, domain filters, and URL pattern blacklists. This option is disabled by default.
There are some limitations with HTTPS traffic filtering:
- When HTTPS access is denied, users will not be presented with a block page.
- If HTTPS access to a particular domain name is denied, HTTPS access to any subdomain under that same domain will also be denied for the same user(s).
Because the Barracuda Web Filter only sees the IP of encrypted HTTPS packets, it is not able to read the URL and therefore does not apply any URL pattern filters to the file path of HTTPS traffic. It can, however, apply URL patterns to the base domain because the Barracuda maintains a database of IP to domain associations. The Web Filter will still use all content category filters, custom categories, and domain lists normally.
When traffic is encrypted over HTTPS, the Barracuda Web Filter is unable to see the domain being accessed due to confidentiality offered by SSL. To get around this issue and to be able to apply policy to HTTPS traffic, the Barracuda Web Filter monitors IP and domain associations, and performs reverse look-ups. When HTTPS filtering is enabled, the Barracuda Web Filter maintains a table of IP address and domain associations in its database. So when it sees an HTTPS request to a particular IP, it will compare this IP to the table to determine which domain is being accessed and apply policy accordingly. With HTTPS filtering, the Barracuda Web Filter does not control the TCP connection, it only monitors the traffic and blocks or allows the packet to pass. Therefore a block page is not presented when a page is blocked due to policy. This feature is only available when the connection is processed by the Barracuda's proxy engine. If this functionality is required, please consider utilizing the SSL Inspection feature if supported on your Barracuda Web Filter model. This is offered on 310s and above. More information on SSL Inspection can be found in our TechLib article here.
Link to This Page:
https://campus.barracuda.com/solution/50160000000H9tKAAS