How do I block Ultrasurf without using DPI-SSL?
03/26/2020 31 7290
In the absence of SonicWall’s DPI-SSL configuration, which would be recommended, it is still possible to mostly block Ultrasurf and other Proxy Avoidance Applications, this does include Psiphon. Please note that this will not be 100% successful, and the applications still may occasionally be successful. In most of these successful connections, however, the connection performance is extremely impacting to the user experience. This performance will help to dissuade further use of the application in most cases.
Please note, again, this will not be 100% successful at blocking all connections all the time.
- Enable SonicWall’s SSL Control Service, and apply it to the appropriate Zone for enforcement.
- Restrict traffic in Access Rules to only required connections. Also, make sure that DNS is controlled to only trusted DNS Servers, and all other communications are blocked.
- Use App Control Advance to restrict applications Google QUIC, DNS, SSH, and the entire category of Proxy-Access.
Please make sure that DNS is restricted to only trusted DNS server objections
Please make sure to block the entire category of Proxy Access
- Make sure to enable Content Filtering, and block site categories for Hacking / Proxy Avoidance Systems & Not Rated.
- Make sure that HTTPS Content Filtering is enabled.
Ultrasurf may report that it connections, contacting server, or otherwise show that it is running, but it will continually time out and be virtually ineffective at running any traffic.