Control Access to Custom URLs

Adding custom URLs to a destination list allows Secure Access to extend a domain in a destination list to encompass full URLs. This allows you to control access to a web site's pages based on the full URL of that portion of the web site pages.

Table of Contents

Prerequisites

  • Install a root certificate to support SSL decryption of URLs.
  • The custom URL destination list is protocol-agnostic. This means that Secure Access does not expect that it's possible to know which protocol a web site will use in advance. Therefore, adding a protocol in front of a URL is not required when defining a destination list. Instead, with SSL decryption enabled, Secure Access can block a URL whether it's HTTP or HTTPS and thus minimize the difficulty of creating a destination list. For more information, see Manage Certificates.

Block a URL

To block a URL, you can add it to a blocked destination list or create a new blocked destination list for URLs.

To add a URL to an existing blocked destination list:

  1. Navigate to Secure > Access Policy.
  2. Expand a destination list
  3. Add a URL.
  4. Click Save.
    Note: It is important to specify the URL correctly so that what’s in your policy rule matches what the user is trying to access and is controlled correctly by access settings (block, allow, or warn—depending on the policy type).

URL Normalization

URLs normalize automatically using the following criteria:

URL Normalization
Protocol Schema (the protocol should be stripped)hxxp://xyz.com/test → xyz.com/test
Username: Password (should be stripped)user:[email protected] → xyz.com
Ports (should be stripped)xyz.com:8080/abc → xyz.com/abc
Trailing slashes (stripped from the end of the URL)xyz.com/abc/ → xyz.com/abc

URL Normalization for Destination Lists

URL filtering conforms to URL normalization standards. Certain guidelines must be followed to ensure that the URL you are entering is what you want to block or allow. These can sometimes mean that the way a URL is displayed in the browser's address bar is not how it should be specified in a destination list. This is not done automatically. You must format the URL using the guidelines listed here for it to be blocked or allowed as intended. For guidelines, see URL Normalization.

Troubleshooting Unblocked URLs

If the Secure Access block page does not display when navigating to a URL you expect to be blocked, ensure that the policy rule with the destination list enabled is higher in order than other rules that the enrolled resources may be part of.

Wait up to five minutes before testing again after any changes are made to ensure that enough time has passed for the changes to be replicated throughout Secure Access.

If problems persist, clear the local browser cache on your machine. Alternatively, clear your machine's DNS cache—a reboot will accomplish this.

Also, check to see if you have a local—on-premise—proxy that is interfering.

Additionally, confirm that you have installed certificates. For more information, see Manage Certificates.

Reporting for Blocked URLs

The Secure Access Activity Search report supports the use of URLs as a search filter.

304

After you've filtered for URLs, add another filter to show the custom block URLs that belong to your destination lists.

Examples

The following examples show a single URL and what you can and cannot enter to have a block of that URL enforced. The list of URLs is built out from a single example, modifying a single parameter to show whether the URL "//a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes" would be blocked based on a URL.

In these examples, the protocol is stripped as it would be by the interface.

If you wanted to block this URL a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes the following logic would apply.

URLBlocked?Reason
a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yesYesThe full URL is entered.
a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yes&z=zYes"&" is a delimiter; therefore, it's added as another level to the URL after the word "yes".
a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yesNo"?" is a delimiter so the URL still would begin at the "yes" and any enforcement would happen after that.
a.co/cx/15195/100/setup_1848x19m.exe?NoGiven the "?", it still means only characters after "yes" will be enforced; therefore, a direct download of this file would be allowed.
a.co/cx/15195/100/setup_1848x19m.exeNoWe will still only block any paths after "yes"; therefore, a direct download of this file would be allowed.

If you want to block this URL g.com/a/d, the following logic applies.

Note: These are only examples of destination list entries that would and would not block the URL g.com/a/d.

URLBlocked?Reason
g.com/a/dYesThe full URL is entered.
g.com/a/d?gYesDelimits the path with the query "g" but still just a delimiter thus this will be enforced.
g.com/a/d?YesURL + the "?" delimiter.
g.com/a/NoThe URL ends with "/d" so anything before "/d" would not be enforced.
g.com/a/?aNoThe URL ends with "/d" so anything before "/d" would not be enforced.

If you want to block this URL d.co/cx/15195/100, the following applies.

Note: These are only examples of which destination list entries would block the URL "d.co/cx/15195/100" and which would not.

URLEnforcedReason
d.co/cx/15195/100YesThe full URL is entered.
d.co/cx/15195/100/?YesEverything after the delimited "/" after 100 would be blocked.
d.co/cx/15195/100/YesEverything after the delimited "/" after 100 would be blocked.
d.co/cx/15195/100YesEverything after the delimiting "/" after 100 would be blocked.
d.co/cx/15195/10NoThe delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.
d.co/cx/15195/1000NoThe delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.
d.co/cx/15195/NoThe delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.
d.co/cx/15195NoThe delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.

Note: There are normalization rules that most administrators never encounter. If you find that a URL is not being properly filtered and you've confirmed that all criteria are met, see the URL Normalization RFC.

Troubleshooting

If you encounter issues with the custom URL feature, contact Support and include the output of the following commands:

macOS

dig proxy.opendnstest.com
dig debug.opendns.com txt

Windows

nslookup proxy.opendnstest.com
nslookup -type=txt debug.opendns.com

Download Destinations to a CSV File < Control Access to Custom URLs > Wildcards and Destination Lists