How can I block Ultrasurf using the ProxySG appliance?

Solutions ID:    KB5114
Version:    1.0
Status:    Published
Published date:    05/10/2012

Problem Description

Ultrasurf is an Internet based privacy and security tool designed to circumvent network security/surveillance. The ProxySG alone cannot block Ultrasurf, since it is able to utilize UDP in order to connect to the Ultrasurf network. You'll need to use a multi-layered approach to network security in order to block Ultrasurf.


The following conditions will need to be met before Ultrasurf can be blocked:

  • Ensure all UDP traffic from the client is blocked by a firewall.
  • Transparently intercept all TCP traffic from the client by using the Default service on the ProxySG. Enable Detect Protocol on this service.
  • Delete all services that are not in use, or Intercept them by enabling Detect Protocol. This ensures Ultrasurf doesn't switch to a port that the ProxySG bypasses by default.
  • Ensure you have a valid SSL license.

The ProxySG will intercept Ultrasurf traffic and detect it as SSL. However, since it's not an SSL protocol that the ProxySG fully understands, the connection will be dropped. This occurs for every port Ultrasurf tries via TCP.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question