Unauthorized HTTP and HTTPS Traffic Blocked on Port
ContentProtect Security Appliance can block proxy servers from redirecting unauthorized HTTP and HTTPS traffic to non standard ports, which is generally an attempt to bypass filtering on the appliance. This is especially helpful when organizations experience users running Filter Avoidance Programs to bypass the filtering system of ContentProtect Security Appliance, just so they can access more web site locations without being detected.
Unauthorized HTTP and HTTPS Traffic
Blocked on Port
Contact: Customer Support for help with technical questions.
Standard Ports
The following are standard ports used by ContentProtect Security Appliance when Anonymous Proxy Guard is enabled. Any HTTP and HTTPS traffic redirected to any other ports not listed below are considered non standard ports and will be blocked.
Port 80 - HTTPPort 8080 - Proxy ServersPort 443 - HTTPS
How Anonymous Proxy Guard Works
If ContentProtect Security Appliance recognizes that HTTP traffic is trying to use port 5000, the traffic is considered unauthorized and knows that someone has sent a web request to a non standard port, thus bypassing the filter. ContentProtect Security Appliance blocks the traffic, and sends a Blocked Website message back to the user. The user message also includes the port that the traffic was attempting to access. By default, Anonymous Proxy Guard only uses standard ports for HTTP, HTTPS traffic. It is possible that a user could send a valid web request over a non standard port. In this case, you must add an exception to the Traffic Flow Rule Set to send the web request through the web filter so that future web requests reach the host destination successfully.
Note: Even though the message says unauthorized HTTP traffic was blocked, HTTPS traffic could also have been blocked.
The following graphic shows that the URL address is attempting to send HTTP information through port 6666. Some URL addresses have the port redirection embedded in the URL and may not appear in the addresses.
Filter Avoidance Programs
There are several programs available on the market that allow users to bypass the filtering rules onContentProtect Security Appliance, by sending HTTP and HTTPS traffic through proxy server. Some programs may even send HTTP and HTTPS traffic encrypted, which makes it much more difficult to determine what type of traffic is trying to access the non standard ports. Some requests could be valid, but most are not. In any case, you want to create a signature that forces web requests to the standard ports and go through the Web Filtering system on ContentProtect Security Appliance.
Example: If a student in Palo Alto, West Coast school district uses the program Ultrasurf to bypass filtering by sending web requests over non standard ports, then you can resolve the filtering avoidance issue by blocking all ports except the standard ports, 80, 8080, and 443.
Creating a Custom Signature for HTTP and HTTPS Traffic
When Anonymous Proxy Guard is enabled a user may be blocked from accessing a valid site because the site is redirecting its traffic over a non-standard HTTP, HTTPS, or Proxy server port.
Allowing web requests over non-standard ports when Anonymous Proxy Guard is enabled, requires creating a custom signature so that the HTTP and HTTPS traffic goes through the Web Filter before going to the non standard port.
To create a custom signature for HTTP and HTTPS traffic
From ContentProtect Security Appliance, selectManage > Policies & Rules > Policy Manager.Click a Group on the Policy Manager page to find out what Internet Usage Rule has been assigned.
From ContentProtect Security Appliance, selectManage > Policies & Rules > Internet Usage Rules.Click on the Internet Usage Rule assigned to the Group that you want to change.Write down the name of the Traffic Flow Rule Set(TFRS) used for the Internet Usage Rule.
Anonymous Proxy Guard is only enabled when using a TFRS that contains the nameAnonymous Proxy Guard.
From ContentProtect Security Appliance, selectManage > Applications > Applications.Click Create.
Enter a Name for the new application, which also appears in the application reports.Enter a Description for the new application.Select HTTP as the Application Set from the drop-down list.Select Source and Destination Port as the Type from the drop-down list.Enter the port number for the ValueSelect TCP as the Protocol from the drop-down list.Select Web Filter as the Target from the drop-down list.Click Save.