IC Control can block proxy servers from redirecting unauthorized HTTP and HTTPS traffic to non-standard ports, which is generally an attempt to bypass filtering on the appliance. This is especially helpful when organizations experience users running Filter Avoidance Programs to bypass the filtering system of IC Control, just so they can access more web site locations without being detected.
The following are standard ports used by IC Control when Anonymous Proxy Guard is enabled. Any HTTP and HTTPS traffic redirected to any other ports not listed below are considered non standard ports and will be blocked.
- Port 80 - HTTP
- Port 8080 - Proxy Servers
- Port 443 - HTTPS
How Anonymous Proxy Guard Works
If IC Control recognizes that HTTP traffic is trying to use port 5000, the traffic is considered unauthorized and knows that someone has sent a web request to a non standard port, thus bypassing the filter. IC Control blocks the traffic, and sends a Blocked Website message back to the user. The user message also includes the port that the traffic was attempting to access. By default, Anonymous Proxy Guard only uses standard ports for HTTP, HTTPS traffic. It is possible that a user could send a valid web request over a non-standard port. In this case, you must add an exception to the Traffic Flow Rule Set to send the web request through the web filter so that future web requests reach the host destination successfully.
Note: Even though the message says unauthorized HTTP traffic was blocked, HTTPS traffic could also have been blocked.
The following graphic shows that the URL address is attempting to send HTTP information through port 6666. Some URL addresses have the port redirection embedded in the URL and may not appear in the addresses.
Filter Avoidance Programs
There are several programs available on the market that allow users to bypass the filtering rules on IC Composer, by sending HTTP and HTTPS traffic through proxy server. Some programs may even send HTTP and HTTPS traffic encrypted, which makes it much more difficult to determine what type of traffic is trying to access the non-standard ports. Some requests could be valid, but most are not. In any case, you want to create a signature that forces web requests to the standard ports and go through the Web Filtering system on IC Control.
Example: If a student in Palo Alto, West Coast school district uses the program Ultrasurf to bypass filtering by sending web requests over non standard ports, then you can resolve the filtering avoidance issue by blocking all ports except the standard ports, 80, 8080, and 443.
When Anonymous Proxy Guard is enabled a user may be blocked from accessing a valid site because the site is redirecting its traffic over a non-standard HTTP, HTTPS, or Proxy server port.
Allowing web requests over non-standard ports when Anonymous Proxy Guard is enabled, requires creating a custom signature so that the HTTP and HTTPS traffic goes through the Web Filter before going to the non standard port.
To create a custom signature for HTTP and HTTPS traffic
- From IC Control, select Manage > Policies & Rules > Policy Manager.
- Click a Group on the Policy Manager page to find out what Internet Usage Rule (renamed Webfilter Rule Version 9.5 and above) has been assigned.
- From IC Control, select Manage > Policies & Rules > Internet Usage Rules (renamed Webfilter Rule Version 9.5 and above).
- Click on the Internet Usage Rule(Webfilter Rule) assigned to the Group that you want to change.
- Write down the name of the Traffic Flow Rule Set (TFRS) ( "Application rules" in 9.5 and above) used for the Internet Usage Rule (Webfilter Rule).
Anonymous Proxy Guard is only enabled when using a TFRS that contains the name Anonymous Proxy Guard.
- From IC Control, select Manage > Applications > Applications.
- Click Create.
- Enter a Name for the new application, which also appears in the application reports.
- Enter a Description for the new application.
- Select a Traffic Flow Rule Set ( "Application rules" in 9.5 and above) from the drop-down list.
The rule set you select must have Anonymous Proxy Guard included in your selection.
- Select HTTP as the Application Set from the drop-down list.
- Select Source and Destination Port as the Type from the drop-down list.
- Enter the port number for the Value.
- Select TCP as the Protocol from the drop-down list.
- Select Web Filter as the Target from the drop-down list.
- Click Save.
Note: If more than one non standard port is being blocked, you must create a new application for each port that you want to unblock.