SummaryThe anonymous proxy Ultrasurf can show up as HTTPS traffic in the real time monitor
OverviewUltrasurf is an anonymous proxy / VPN provider that allows users to get around blocks, firewalls and other impediments to anonymously consume traffic they might not be allowed to have access to. The Exinda firmware attempts to block Ultrasurf traffic, though the application changes very frequently in an attempt to get around detection and blocking that it is difficult to stay up to date.
The latest application definition Exinda has for Ultrasurf was released in v7.4.1, and while engineers are currently working on updated definitions, in the mean time it is seen that as of v7.4.2, some Ultrasurf traffic can be seen as HTTPS in the real time monitor.
CauseUltrasurf has been seen to attempt using a domain called AppSpot to access the proxies that it needs to tunnel traffic through. AppSpot is a project by Google that allows for members to create and publish applications to websitees (each of the form of application.appspot.com). Anybody that has access to Google cloud platform is allowed to publish applications to AppSpot. As a result, if people publish proxies for the sole purpose of allowing Ultrasurf to access them, it is beyond the control of anybody.
ResolutionIt is possible to add AppSpot to the policy blocking Ultrasurf by creating a new Application Definition for it and blocking all subdomains of the site. In order to do so, perform the following:
1. Navigate to Configuration > Objects > Applications
2. Create a new application; give it a name, ie AppSpot.
3. Set the L7 Definition to be 'SSL'. In the second dropdown box that shows up beside it, choose 'advanced'. In the third, type the following: common_name =% "appspot.com"
4. Click 'Add New Application'
5. Add the AppSpot application to the blocking policy that is governing Ultrasurf.
- Add a second filter rule with the following:
- VLAN: ALL
- Source: ALL
- Direction: Both
- Destination: ALL
- ToS/DSCP: ALL
- Application: The application created in step 2
- Save the policy and the configuration
- Restart the optimizer
Please Note however, AppSpot has legitimate uses; Google publishes information critical to Chromebooks and other activities for Google Applications For Education through AppSpot. If using Google Applications for Education, this solution will hinder performance of Apps for Education and might not be a viable workaround for the situation.