Google SafeSearch and SSL


Google SafeSearch and SSL Search for Schools

As we have noticed, Google has changed the searching behavior. Currently ‘Google Search’ forward searches to secure site eg. https://www.google.com (In country; https://www.google.com.sg ; https://www.google.co.uk). As a result; most UTM firewall (content filer) doesn’t filter encrypted (https://) contents by default. That means safe search will not work and inappropriate sites and Google images searches will show undesirable images.

Now there are couples of solutions to fix this issue:

Option 1. UTM Firewall: (not preferred due to complexities and aftermath issues)

Enable Deep Inspection for SSL (DPI-SSL). But this will create havoc as all secure sites will alert for invalid certificate error message.
To work-around this issue; we need to generate self-certificate from UTM device and install to all our end points and create an exception for site that doesn’t permit packet modifications eg dropbox. In a nutshell; this is tedious to manage and Internet traffic will relatively slow down due to packet encryption/decryption process. Of-course we still need this where we want to block applications like Skype and other cleverly crafted sophisticated applications. But if we just like to solve Google https search issue; option 2 is desirable

Option 2. DNS CNAME: (relatively simple solution)

2.1. Create Forward Lookup Zones with Google domain (eg. google.com, google.co.uk, google.com.tw, google.co.th, google.com.au, google.com.in etc)

2.2. We need to create same record twice where we have two AD-DNS servers unless we select “Store the zone in Active Directory” from below.

2.3. Click Next>

2.4. Click Next>

2.5. Click Next>

2.6. Click Finish

2.7. Create CNAME (now right click on Google domain and select New Alias)

2.8. Leave Alias name blank and enter FQDN as nosslsearch.google.com

(should see follow after the above steps)

Following steps for Windows 2008 and above DNS Manager:
(Please note: Windows Server 2008 does not allow CNAME creation as Windows Server 2003 in above step 2.8)

Repeat above steps from 2.1 to 2.6 as above.
Now create A record in Windows Server 2008 DNS under Google domain (Forward Lookup Zones).

[We also can perform above tasks by having another DNS server which running on Windows 2003 (doesn’t require to be AD-DNS); you could forward the all traffic to that server from DNS forwarder or Conditional Forwarder option. But I find above technique is much simpler as doesn’t require to maintain additional DNS server].

Note: It has been many years Google has not been changed IP address for nosslsearch.google.com [216.239.32.20]; but if they do then we need to change accordingly.

Please also block following site from UTM firewall (proxy exception and webblocker). Leave unblock this site where VIP user needs encrypted search using following link (optional).

http://encrypted.google.com/

Other Google sites (products) and services will not be affected due to above configuration. This is work-around technique for forcing user for non-ssl search so that on-premise UTM firewall could enforce safe search and other policies.

Advertisements

About Robiul

Robiul has 15 years of continuous successful career experience in ICT with extensive background in System Engineering, IT infrastructure design, operations and service delivery, managing IT projects / MIS functions for local and multi-national companies with in-depth knowledge of multiple operating systems as well as construct / manage small to medium size Data Center. Proven ability to design and implement medium to semi-large scale LAN/WAN/WLAN and system infrastructures. Academic qualification: Master of Science in Information Systems. Professional certifications are: MCSE, CCNA, ITIL and FoundStone Security Professional, VCP, NetAPP, CISSP etc.
This entry was posted in Others, WatchGuard and tagged . Bookmark the permalink.