Could someone please confirm the following operation of the Symantec Gateway Server.
I have setup, configured and am testing a Symantec Web Gateway appliance running in Inline/Blocking mode. User's web browsers are not configured with any Proxy settings.
We have a lot of Facebook users which we are trying to block (at least during business hours).
I put the appliance on our production network and turned on URL Filtering and blocked the Social Media category (which includes Facebook). Initial tests worked as expected, and found that http://www.facebook.com is blocked by the Symantec Web Gateway.
I got a call 5 minutes later saying someone already found another way into Facebook by using the secure address (https://www.facebook.com/login.php).
In reading the instructions, it seems that the SWG cannot natively filter HTTPS/SSL traffic in INLINE mode (thus the reason why users can still access Facebook through HTTPS... while the HTTP access to Facebook is blocked). Upon further reading... I read that to filter HTTPS/SSL traffic... that PROXY mode must be activated on the Gateway, and that all user's web browsers proxy settings must be configured to point to this Gateway.
One of the criteria in choosing a web filtering appliance or solution is that we would NOT configure or make use of user's Internet browser proxy settings. We have too many transiant users between various offices, and it becomes a logistical nightmare keeping track of... and changing user's proxy settings. Thus the reason why we purchased the SWG appliance as it was our impression by the sales information is that we could run the Web Gateway appliance in Inline mode, which wouldn't require changes to user proxy settings to each and every web browser we have, and therefore was seamless and transparent to the end user and no additional configuration work was required on our part.
So... Is this correct? If I only want to filter HTTP traffic, then INLINE mode is fine. If I also need to filter HTTPS/SSL traffic, then the Gateway must run in PROXY mode, and all of our 1000+ user's web browser proxy settings will need to be configured to point to the Gateway... just so I can stop SSL traffic to Facebook??? If this is the case... then this would be unacceptable solution in our case, and I would have to look for other providers or solutions which could filter both HTTP and HTTPS traffic seamlessly.