This article applies to organisations with an On-Premise setup, and those with a 'Hybrid' setup (both On-Premise Appliance and Cloud).
This article is for organisations that use an On-Premise Appliance to filter unmanaged Bring-your-own (BYO) devices rather than Cloud Filter, and don’t currently use HTTPS inspection.
Encrypted Client Hello encrypts the Server Name Indication (SNI), making filtering content based on the domain name harder. This article explains how to stop browsers with Encrypted Client Hello (ECH) enabled from bypassing filtering.
Note
You can turn off ECH in Chrome or Edge browsers by setting the TlsEncryptedClientHelloEnabled policy to false. However, you need to configure the setting on each individual device. You can use a Group Policy to change this setting, but unmanaged device users can switch ECH back on at will. Therefore, we recommend following the steps below instead.
Before you begin
- Prevent QUIC on your devices.
- Block DNS over HTTPS by creating a Web Filter Policy with DNS over HTTPS in the What field, with Block as the Action. DNS over HTTPS (DoH) is a privacy feature that encrypts DNS traffic through HTTPS, making it harder to inspect domains and filter content.
Use HTTPS Inspection
HTTPS Inspection stops ECH from bypassing filtering by revealing the domain headers that ECH encrypted.
- Apply HTTPS Inspection: Ensure you have HTTPS Inspection policies to Decrypt and Inspect and be able to filter all user traffic everywhere.
- Install the HTTPS Inspection Certificate on each device: Users must download and install the Certificate from the getmitm page to ensure they won’t get an HTTPS Certificate error when browsing the web.
If HTTPS Inspection is not possible: Set your Smoothwall Appliance as your DNS server
The Leeds-81 and Maiden-23 updates include a new version of the Smoothwall DNS server, preventing devices from looking up the ECH DNS records and attempting to make an ECH HTTPS request. Devices then make a normal HTTPS request, allowing Smoothwall Filter to analyse the content, categorise it and take the appropriate filtering action.
- Update your Smoothwall Appliance to or beyond Leeds-81 or Maiden-23.
-
Add or remove DNS forwarders.
- If you have local domains only accessible within your school or a ‘split-brain DNS’ configuration, you’ll need to use your Active Directory domain controllers to resolve local domains.
- Otherwise, you’ll need your Internet Service Provider’s DNS or free DNS such as 8.8.8.8 from Google.
- Add a new Smoothwall firewall access rule to Allow devices to access the appliance DNS proxy. Ensure 'DNS Proxy (53)' is accepted for the appropriate interfaces and IPs.
- Set your Smoothwall On-Premise Appliance as the DNS server for each device.
If HTTPS Inspection and changing the DNS server is not possible: Block the ECH category
Block the ECH category if you can’t use HTTPS Inspection and can’t update to or beyond Leeds-81 or Maiden-23.
Blocking the ECH category means you can no longer access all sites using ECH, such as legitimate traffic using cloudflare-ech.com. Users will see a ‘This site can’t be reached’ message. The only way to unblock the website is to use HTTPS Inspection or set Smoothwall as your DNS server.
- Create a Web Filter Policy with Encrypted Client Hello in the What field, with Block as the Action.
- Let us know about any ECH sites we should add to the list through our Blocklist Feedback Form.