Solutions

How do I control Web 2.0 and Mobile applications in my network?

Solutions ID:    KB4784
Version:    4.0
Status:    Published
Published date:    12/01/2011
Updated:    06/13/2012
 

Problem Description

Web traffic today is diverse. To effectively manage the content that users in your network can access, you can allow or block access to content using Web categories, Web applications and Web operations.

You can also control access to Web content using a URL or domain name. In today’s Web milieu, this is not an effective solution because the elements of a Web site are served from multiple URLs or domains. Blocking specific URLs is effective only when you know that the content is always served from a specific domain or URL.

 

Resolution

To allow reasonable access to Web content, you need to create policy that combines categories, applications, and operation controls. This means that you can allow access to certain applications within a category while blocking the category itself, or restrict selected operations across all applications.

Pre-requisites for Enabling Web and Moble Application Control

  •  Proxy Edition license (not a MACH5 license)
  • The Blue Coat WebFilter feature must be enabled. (Configuration > Content Filtering > General)
  • A current BCWF database must be downloaded to the ProxySG. (Configuration > Content Filtering > Blue Coat WebFilter)
  • The ProxySG must have one or more Web services, such as External HTTP and HTTPS, set to intercept. Bypassed Web traffic is not classified into applications.

The following application and operation control objects allow you to match against the URL in an HTTP or HTTPS request that the ProxySG appliance receives from clients in the network and create policy to allow or restrict access to the requested action or content:

Request URL Application: The Request URL Application object gives you the ability to block popular Web applications such as Facebook, Linkedin, or Pandora. As new applications emerge or existing applications evolve, BCWF tracks the domains that these Web applications use to serve content, and provides periodic updates to include the new domains that are added. You can use the Request URL Application object to block an application and all the associated domains automatically.
For the applications you have blocked, you do not have to update your policy to continue blocking the new content sources; To block newly recognized applications, you will need to select the new applications and refresh your network policy.

Request URL Operation: The Request URL Operation object restricts the actions a user can perform on a Web application. For instance, when you select the Upload Picture action for the Request URL Operation, you create a single rule that blocks the action of uploading pictures to any of the applications or services where the action can be performed such as Flickr, Picasa, or Smugmug.
When you block by operation, unlike blocking by application, you prevent users in your network from performing the specified operation for all applications that support that operation. They can however, access the application itself.
Note, however, that the Request URL operation object only pertains to operations for sites that BCWF recognizes as Web applications. So, blocking picture uploads would not prevent users in your network from using FTP to upload a JPEG file to an FTP server, or from using an HTTP POST to upload a picture on a Web site running bulletin board software.

 

Example

Allow users to access Facebook and Linkedin, but block access to other social networking sites. Also, block access to all games, including access to games on Facebook.

  1. Launch the Visual Policy Manager on the ProxySG Management Console. Select Configuration > Policy > Visual Policy Manager, and click Launch.
  2.  Create the rules to allow access to Facebook and Linkedin, but restrict access to all other social networking sites. You must define the allow Facebook and Linkedin rule before the rule that blocks access to other social networking sites.
    1. To allow access to Facebook:
      1. Add a Web Access Layer. Select Policy > Add Web Access Layer.
      2. On the Destination column, right click and select Request URL Application.
      3. Select Facebook and Linkedin from the application list and click OK.
        To filter through the list of supported applications, you can enter the name of the application in the Filter applications by: pick list. Based on your input, the on-screen display narrows the list of applications. You must then select the application(s) for which you want to create rules.
      4. Set Action to Allow.
    2. To restrict access to all other social networking sites:
      1. Select Edit > Add Rule to add a new rule in the same Web Access layer.
      2. On the Destination column, right click and select Request URL Category.
      3. Select the Social Networking category from the list that displays and click OK.
      4. On the Action column, right click and select Deny. Your rules should look like this:

  1. To properly block access to all games, including those on Facebook, you need to create another Web Access layer that defines the rule as follows:
    1. Add a new Web Access Layer. Select Policy > Add Web Access Layer
    2. On the Destination column, right click and select Request URL Category.
    3. Select the Games category from the list that displays and click OK.

  1. Click Install Policy. You have now installed policy that blocks all games in your network, and permits access to the Facebook and Linkedin applications in the social networking category.

 

Please Note : The ProxySG appliance can currently identify over 90 Web applications—including Facebook, Twitter, Netflix, Gmail,Amazon, and Google Search—and this list is growing every day. For a current list,
 

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question