You can use the Smoothwall Filter and Firewall to block access to HTTPS proxy sites or prevent HTTPS proxy software like UltraSurf bypassing the Smoothwall Filter.
Web filters are becoming increasingly popular, and are used to restrict a user's internet access to certain types of content. This has led to the creation of numerous proxy websites and proxy software applications designed to bypass web filters such as Guardian.
UltraSurf is one example of an application that bypasses web filters to gain access to sites that would otherwise be blocked. When someone uses a proxy website or application to request content, the proxy will contact a server which will then retrieve the requested content before returning it to the user, typically through an HTTPS connection. Because HTTPS traffic is encrypted, the content can't be seen by web filters and therefore no policies can be applied to the content. As more and more proxies are created on a daily basis, each becoming more complex and more efficient at bypassing web filters, simply blocking access to these services using domain or URL filtering alone is not particularly efficient.
Filter
- Make sure that all clients are going through a transparent proxy with HTTPS support enabled, see our help topic, Creating authentication policies. Note: This might cause issues for other software applications which do not have support for this type of setup.
- The Web proxies category is blocked by default as it is part of Core Blocked Content web filter policy, see our help topic, Managing web filter policies. You should add a block policy if you do not have one for either Web proxies or Core Blocked Content.
- Create an HTTPS inspection policy that validate the certificate, see our help topic, Creating HTTPS inspection policies. This ensures that any site visited must present a valid HTTPS certificate.
- As an alternative, you can create an HTTPS inspection policy to Decrypt and inspect HTTPS requests through the web filter. However, this requires that the certificate used by the Filter is installed on each of the client machines, see our help topic, Managing HTTPS inspection settings.
Firewall
Additionally, you can control access to ports using a firewall. If you are using the Smoothwall Firewall, you do this on the Firewall rules page, see our help topic, Adding new Smoothwall Firewall rules.
Proxies will typically attempt to connect to their servers on port 80 or 443. If this fails, then some applications have the ability to use other ports. The following details ports predominately used by proxy bypass software:
| Proxy | Ports | Additional Notes | Last Checked |
|---|---|---|---|
| Betternet | 1194, 5228, 7268, 9110 | Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only | 20th June 2019 |
| CyberGhost | 8078 | 20th June 2019 | |
| F-Secure Freedome VPN | 500, 2744 | 31st January 2018 | |
| Freegate | 1024 - 65535 | March 2017 | |
| freevpn.og | 8010 | Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only | 20th June 2019 |
| GPass | 1024-65535 | January 2017 | |
| Hexatech | 5228, 9110 | 20th June 2019 | |
| Hideman VPN | 500, 995 | 31st January 2018 | |
| HotSpot Shield | 105, 179, 465, 990, 1024-65535 | Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only | 20th June 2019 |
| Kiwi VPN | 1194 | 24th June 2019 | |
| Opera Free VPN | 1194, 5353 | Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only | 20th June 2019 |
| PrivitizeVPN | 1723 |
January 2017 |
|
| Private Internet Access VPN |
UDP port 51820 (Wireguard) TCP port 1337 TCP/UDP ports 49152 - 65535 (High Ports) TCP/UDP port 8080 (HTTP-ALT) TCP/UDP port 853 (DNS over TLS) UDP 53 (DNS) UDP 123 (NTP) |
November 2021 |
|
| Secure VPN | 82, 115, 500, 910, 4500 | 24th June 2019 | |
| Security Kiss | 123, 5000, 5353 | 20th June 2019 | |
| SetupVPN | 3000 | 24th June 2019 | |
| Snap VPN | 500 | Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. | 24th June 2019 |
| SpeedVPN | 7, 1024-65535 | 20th June 2019 | |
| Spotflux | 443 | Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. | January 2017 |
| Surf VPN | 9970-9979 | 24th June 2019 | |
| Thunder VPN | 53, 81, 465, 802, 936 | 24th June 2019 | |
| Tor | 1024-65535 | Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. | 24th June 2019 |
| TunnelBear | 7011 | 20th June 2019 | |
| Turbo VPN | 500 | 24th June 2019 | |
| VPN Monster | 23, 25, 66, 110, 119 | Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. | 24th June 2019 |
| VPNGate | 500, 992, 995, 1024-65535 | Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. | 24th June 2019 |
| VPN360 | UDP 443, 500, 4000 | 24th June 2019 | |
| Yoga VPN | 5000, 8000, 52000 | Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. | 21st June 2019 |
|
Windscribe
|
UDP ports: 80, 443. TCP and UDP ports: 500, 1194, 4500, 5228, 54783 | Attempts to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only. |
21st June 2019 |
|
Wireguard |
Default: UDP 51820 High ports: 49152:65535 |
Attempts UDP 51820 connection first, otherwise it falls back to trying to use high ports. As long as firewall is locked down and high ports blocked it should not work. |
17th June 2021 |
| X-VPN | This proxy uses a range of different ports (including 21, 25 and 53), you will need to lock down your firewall and only open ports that are necessary | Attempts to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only. | 26th June 2019 |
Blocking UltraSurf
UltraSurf is a proxy application installed locally on user's devices. Users then configure their browsers to point to the local proxy. The UltraSurf proxy sends outgoing traffic to HTTPS sites using IP addresses. This is still the case when UltraSurf sends out traffic directly to port 443 (HTTPS), or when UltraSurf is set to use an upstream proxy.
So, what can be done?
- Block the installation and execution of the UltraSurf application using domain-wide security policies
- Set proxy settings in a security policy so users cannot override them
These are basic recommendations when blocking UltraSurf traffic. Users may still get around security policies by using non-domain-managed devices, or those devices where the user themselves has administration rights.
Server Name Indication (SNI) adds to the HTTPS Transport Layer Security (TLS) handshake to indicate to the proxy which domain the traffic is destined for. SNI is used by the Guardian web filter when transparently intercepting HTTPS traffic.
Additional actions for the Guardian web filter:
- It is recommended you create a transparent web proxy authentication policy which blocks HTTPS traffic that does not present an SNI header. See our help topic, Creating authentication policies.
- Enable additional heuristics to block advanced proxy bypass tools. See our help topic, Configuring the web proxy.
Note: The two options, shown above, may also block legitimate applications from working if they use the same type of traffic as UltraSurf, such as, some cloud-based services. Without SNI information, Guardian is unable to easily differentiate between UltraSurf and non-UltraSurf traffic using any parameters other than destination IP addresses.