How to block access to HTTPS proxy bypass sites or software

Article #: Product Castle
1613 and 1752 Guardian All


Using the Smoothwall to block access to HTTPS proxy sites or prevent HTTPS proxy software like UltraSurf bypassing the Guardian web filter.


Web filters are becoming increasingly popular, and are used to restrict a user's internet access to certain types of content. This has led to the creation of numerous proxy websites and proxy software applications designed to bypass web filters such as Guardian.

UltraSurf is one example of an application that bypasses web filters to gain access to sites that would otherwise be blocked. When someone uses a proxy website or application to request content, the proxy will contact a server which will then retrieve the requested content before returning it to the user, typically through an HTTPS connection. Because HTTPS traffic is encrypted, the content can't be seen by web filters and therefore no policies can be applied to the content. As more and more proxies are created on a daily basis, each becoming more complex and more efficient at bypassing web filters, simply blocking access to these services using domain or URL filtering alone is not particularly efficient.


Actions for the Guardian Web Filter

  1. If possible, ensure that all clients are going through a transparent proxy with HTTPS support enabled (Web proxy > Authentication > Policy wizard).
  2. Note: This may however cause issues for other software applications which do not have support for this type of setup.

  3. The Web proxies category is blocked by default as it is part of Core Blocked Content web filter policy (see You should add a block policy if you do not have one for either Web proxies or Core Blocked Content.
  4. Create an HTTPS inspection policy that validate the certificate (Guardian > HTTPS inspection > Policy wizard). This ensures that any site visited must present a valid HTTPS certificate.
  5. As an alternative to step 3, you can create an HTTPS inspection policy to Decrypt and inspect HTTPS requests through the web filter. This does however require that the certificate used by Guardian is installed on each of the client machines (see

Actions for the Firewall

Additionally, you can control access to ports using a firewall. If you are using the Smoothwall firewall, you do this in either the Network > Firewall > Firewall rules page (those running Inverness or above), or the Network > Outgoing pages (for those running Hearst or below).

Proxies will typically attempt to connect to their servers on port 80 or 443. If this fails, then some applications have the ability to use other ports. The following details ports predominately used by proxy bypass software:

Proxy Ports Additional Notes Last Checked
Betternet 1194, 5228, 7268, 9110   26th January 2018
CyberGhost 8078   January 2017
F-Secure Freedome VPN 500, 2744   31st January 2018
Freegate 1024 - 65535   March 2017
freevpn.og 8010 Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only 23rd January 2018
GPass 1024-65535   January 2017
Hexatech 5228, 9110   26th January 2018
Hideman VPN 500, 995   31st January 2018
HotSpot Shield 105, 179, 465, 990, 1024-65535   August 2017
Opera Free VPN 1194, 5353   31st January 2018
PrivitizeVPN 1723   January 2017
Security Kiss 123, 5000, 5353   January 2017
SpeedVPN 7, 4500   31st January 2018
Spotflux 443 Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. January 2017
Tor 1024-65535 Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. January 2017
TunnelBear 7011   8th November 2017
VPNGate 992, 995, 1024-65535 Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only. August 2017
Yoga VPN 5000, 8000   31st January 2018

Blocking UltraSurf

UltraSurf is a proxy application installed locally on user's devices. Users then configure their browsers to point to the local proxy. The UltraSurf proxy sends outgoing traffic to HTTPS sites using IP addresses. This is still the case when UltraSurf sends out traffic directly to port 443 (HTTPS), or when UltraSurf is set to use an upstream proxy.

So, what can be done?

  • Block the installation and execution of the UltraSurf application using domain-wide security policies
  • Set proxy settings in a security policy so users cannot override them

These are basic recommendations when blocking UltraSurf traffic. Users may still get around security policies by using non-domain-managed devices, or those devices where the user themselves has administration rights.

Server Name Indication (SNI) adds to the HTTPS Transport Layer Security (TLS) handshake to indicate to the proxy which domain the traffic is destined for. SNI is used by the Guardian web filter when transparently intercepting HTTPS traffic.

Additional actions for the Guardian web filter:

Note: The two options, shown above, may also block legitimate applications from working if they use the same type of traffic as UltraSurf, such as, some cloud-based services. Without SNI information, Guardian is unable to easily differentiate between UltraSurf and non-UltraSurf traffic using any parameters other than destination IP addresses.


Last updated: Author: Contributions by:
6th February 2017   Jonathan McKeague, Patrick Gleeson