Google SafeSearch and SSL Search for Schools
As we have noticed, Google has changed the searching behavior. Currently ‘Google Search’ forward searches to secure site eg. https://www.google.com (In country; https://www.google.com.sg ; https://www.google.co.uk). As a result; most UTM firewall (content filer) doesn’t filter encrypted (https://) contents by default. That means safe search will not work and inappropriate sites and Google images searches will show undesirable images.
Now there are couples of solutions to fix this issue:
Option 1. UTM Firewall: (not preferred due to complexities and aftermath issues)
Enable Deep Inspection for SSL (DPI-SSL). But this will create havoc as all secure sites will alert for invalid certificate error message.
To work-around this issue; we need to generate self-certificate from UTM device and install to all our end points and create an exception for site that doesn’t permit packet modifications eg dropbox. In a nutshell; this is tedious to manage and Internet traffic will relatively slow down due to packet encryption/decryption process. Of-course we still need this where we want to block applications like Skype and other cleverly crafted sophisticated applications. But if we just like to solve Google https search issue; option 2 is desirable
Option 2. DNS CNAME: (relatively simple solution)
2.1. Create Forward Lookup Zones with Google domain (eg. google.com, google.co.uk, google.com.tw, google.co.th, google.com.au, google.com.in etc)
2.2. We need to create same record twice where we have two AD-DNS servers unless we select “Store the zone in Active Directory” from below.
2.3. Click Next>
2.4. Click Next>
2.5. Click Next>
2.6. Click Finish
2.7. Create CNAME (now right click on Google domain and select New Alias)
2.8. Leave Alias name blank and enter FQDN as nosslsearch.google.com
(should see follow after the above steps)
Following steps for Windows 2008 and above DNS Manager:
(Please note: Windows Server 2008 does not allow CNAME creation as Windows Server 2003 in above step 2.8)
Repeat above steps from 2.1 to 2.6 as above.
Now create A record in Windows Server 2008 DNS under Google domain (Forward Lookup Zones).
[We also can perform above tasks by having another DNS server which running on Windows 2003 (doesn’t require to be AD-DNS); you could forward the all traffic to that server from DNS forwarder or Conditional Forwarder option. But I find above technique is much simpler as doesn’t require to maintain additional DNS server].
Note: It has been many years Google has not been changed IP address for nosslsearch.google.com [220.127.116.11]; but if they do then we need to change accordingly.
Please also block following site from UTM firewall (proxy exception and webblocker). Leave unblock this site where VIP user needs encrypted search using following link (optional).
Other Google sites (products) and services will not be affected due to above configuration. This is work-around technique for forcing user for non-ssl search so that on-premise UTM firewall could enforce safe search and other policies.