Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

URL Filtering Using an IFP Proxy

URL filtering can be performed on requests to web access submitted under the IFP protocol.

To perform URL filtering on such requests, you need to:

  • Set up an IFP proxy.
  • Implement suitable filtering rules.

Filtering activities for IFP requests are displayed on the dashboard of the user interface. Connection tracing can also be performed for these activities.

Setting up an IFP proxy

To process and filter requests for web access that users submit from their client systems under the IFP protocol, the proxy functions of the appliance must be appropriately configured. An IFP proxy must be set up that intercepts these requests and makes them available for URL filtering.

To set up the proxy, you need to specify a number of settings on the user interface under Configuration | Proxies.
These settings include:

  • Enabling or disabling the proxy
  • List of proxy ports, specifying for each proxy:
    • IP address and port number
    • Message mode (Indicates whether a block message is sent as a redirect or as normal message under the IFP protocol)
  • Maximum number of concurrent IFP requests
    Using this setting, you can prevent an overloading of the IFP proxy.

Rules for filtering IFP requests

There is no default or library rule set for controlling the process of filtering IFP requests. However, you can create a rule set of your own and also make use of the IFP proxy functions in existing rule sets.

When creating a rule set for filtering IFP requests, you need to specify use of the IFP protocol as the rule set criteria to ensure the rule set is applied to requests that are submitted under this protocol. This is achieved by including the Connection.Protocol property in the criteria and configuring the IFP protocol as its operand.

As the IFP protocol covers only requests, you can exclude filtering responses and embedded objects as activities that the rule set should apply to.

The rules in the rule set can be the same as in the default URL Filtering rule set.

Best practice: If you want to perform URL filtering only for requests sent under the IFP protocol, delete the default URL Filtering rule set and use only the IFP filtering rule set that you have created in the way described here.

Using the IFP proxy functions in existing rule sets can be an option, for example, if you have authentication implemented for requests submitted under various other protocols and want to add authentication for IFP requests.

The Authentication Server (Time/IP-based Session) library rule set contains an embedded rule set with rules that check whether there is already an authenticated session for a client that a request is received from. Otherwise a rule redirects a request to the authentication server.

The embedded rule set covers protocols such as HTTP or HTTPS. Using the Connection.Protocol property, you can extend the criteria to include the IFP protocol.

Restrictions for IFP filtering

When using an IFP proxy for filtering URLs, you should be aware of the following restrictions:

  • Limited use of SafeSearch Enforcer

    When performing IFP filtering, you the SafeSearch Enforcer will only work for filtering search requests that are carried out using Google.

    The reason for this is that only Google uses URLs for submitting the search criteria while all other search providers use cookies. However, cookies cannot be processed by the IFP proxy on an appliance.
     
  • HTTP proxy required for some functions

An HTTP proxy must be set up in addition to the IFP proxy if you want to do the following:

  • Redirect IFP requests that are blocked due to a filtering rule to a blocking page to let a block message appear on the client of the user who sent the request.
  • Authenticate users on the appliance by having their credentials verified on the internal authentication server.
  • Restrict web usage of users by implementing the Time Quota library rule set.

IFP filtering activities on the dashboard

The dashboard on the user interface provides information on several IFP filtering activities.

  • Number of IFP requests processed

    This information is shown under Web Traffic Summary | Requests per protocol.
     
  • Domains that access to was requested most often (counting the number of requests)

    Among these requests can be such that were submitted under the IFP protocol.

    This information is shown under Web Traffic | Top Level Domains by Number of Requests.
     
  • Websites that were most often the destinations of requests (counting the number of requests)

    Among these requests can be such that were submitted under the IFP protocol.

    This information is shown under Web Traffic | Destinations by Number of Requests.

Connection tracing for IFP filtering activities

Connection tracing can be performed for filtering IFP requests.

When connection tracing is enabled, connection tracing files are created and stored. They can be accessed on the user interface under the Troubleshooting top-level menu.

Next Steps

 

  • Was this article helpful?