Technical Support    (855) 512-4817    EMAIL US
blog-header.jpg

Our Blog

YouTube EDU Fortigate Configuration

YouTube EDU provides a rich resource for education specific videos. For years, educators seeking access to YouTube.com were typically blocked by district web filters due to the bulk of non-educational and sometimes risky content. YouTube EDU overcomes this obstacle and is now a wonderful tool for instructors.

Fortinet Fortigate appliances provide excellent Unified Threat Management (UTM) for all types of network environments. Fortigate appliances provide network administrators a wide range of security technologies including intelligent filtering for YouTube EDU content. This YouTube EDU feature is currently available via the current MR 5.0 code release. Specifically, this feature is an option located within the protection profile, similar to forcing “safe search” for search engines. Technically, this device re-writes the header going out to include a special string of characters that is specific to your YouTube EDU account.

As with any new feature or option, our engineering team has determined that this type of advanced content filtering works very well when browsing on non-secured HTTP related traffic, e.g. http://youtube.com or http://www.youtube.com.

The challenge is that when end-users access a secure HTTP version of these websites, the filtering engine does not work as expected (for the moment at least). We learned that other dedicated web filters (i.e. Barracuda Web Filter) can overcome this hurdle. Thus, a simple yet effect work around was immediately needed to keep within the approved Internet usage policy dictated by various private and public school systems.

So, here are two (2) techniques that you can deploy on your Fortigate appliance (via the protection profile) that allows you to block https:// sites two different ways.

First, a couple of reference points:

1) URL inspection – this looks at the CN name in the certificate, but since Google owns YouTube, the certificate is the wildcard *google.com certificate.

2) Enable https deep scanning; works great but throws a certificate error on EVERY https site you visit – very annoying to say the least. Alas, you might in theory, export the certificate from the Fortigate and install it on all the machines, but I suspect this is a non-starter for most.

So, in order to overcome these shortcomings, you might consider the following configuration tips:

1) Allow all YouTube.com sites, wide open. If you block streaming media, add YouTube.com to a custom category. Then allow the custom category in the protection profile.

2) Configure YouTube EDU with header redirect (also in the protection profile, located in the web filtering section). Ideally, this should solve your YouTube EDU problem for http://youtube.com, but not for the secured https://youtube.com URL.

3) Next, create a firewall rule at the top of your rules set that DENIES https traffic to youtube.com. Since the underlying IP addresses change, you need to incorporate FQDN rule (instead of IP address) to block the following:

a) youtube.com

b) youtube-ui.l.google.com

Should you have any questions or would like additional information, please contact TBNG Consulting at contact@tbngconsulting.com or at 855-512-4817
Read More

Subscribe to Email Updates

Tags

see all