Websense and HTTPS

[packnet]

We currently use Websense content filtering in conjunction with some PIX firewalls and also using our NetCache proxy servers using the ICAP protocol.

I'm currently uncertain if we're filtering HTTPS requests, at least by FQDN.

We're migrating to NGX HFA3 and using UFP to connect to Websense.

Is there any way at all to use FW-1 and Websense together to provide filtering of HTTPS requests? Does Websense support this at all, using at least the unencrypted portion of the request?

My fear is that Moore's law is going to catch up with us, and every pr0n site on the Internet is going to have HTTPS sites to bypass content filtering.

[packnet]

Well, I actually found something useful on Checkpoint's site (that doesn't happen often), but it's not what I wanted to hear.

We want to avoid browser configurations, we were hoping this solution could be transparent.

If anyone has done any clever work-arounds, I'd be interested to know. We have WAY too many desktops to want to go through this, even via GPO.

This procedure configures the HTTP Security Server to work with HTTPS:

1) Define a Security Server for https reject rule:
Set resource to "Enforce URI capabilities".
Select all in connection methods (including Tunneling).
Set the URI type to UFP.
Set the Match Action to "Blocked".

NOTE: When the warning pops up, click "OK".

2) Define an accept rule for https.

3) In Global properties > SmartDashboard Customization > Advanced Configuration > Configure > FireWall-1 > Web Security > HTTP Protocol:

Check http_connection__method_proxy and http_connection_method_tunneling.

4) In each client browser, define the FW-1 as a proxy.

For Internet Explorer, open a browser. Select Tools->Internet Option->Connections->Lan settings->Proxy server Advance. In Security, define the FW-1 address and port (443).

5) Install the Policy.