Accessing secure (https) sites in Windows XP under WebScreen 2.0

Due to the way Microsoft XP interacts with various browsers, users of Internet Explorer, Chrome or Safari browsers on a workstation running Windows XP, are likely to experience an issue when trying to access https sites. Only this particular combination of technologies is affected due to the way Microsoft handles https sites in XP. Please note that Firefox users will NOT be affected in the same way as Firefox bypasses the built-in Microsoft XP routines. There are also no issues with any of the browsers in combination with a later version of Windows. The best long-term solution is to upgrade workstations to a later version of the operating system or use Firefox as the default browser.

Under XP, when browser requests to https sites are sent using the full standard URL, the URL gets translated to the IP address of that  site before it reaches the filtering system. Access to the site may then be denied unless the IP address has been explicitly allowed.

For example: a request to visit

https://www.google.com/

is presented to the filtering system as a request for

https://173.194.67.105/

Further complications may arise when destination sites have multiple IP address possibilities as they are hosted on multiple servers. So the above example could appear as

https://173.194.78.104/

depending upon the address to which the URL translates at the time.

As a result, to ensure that an https site is allowed/blocked correctly for those using the XP system with one of the affected browsers, the URL and any IP addresses belonging to the site should be added to the appropriate filtering policy. This approach is effective in situations where target websites are hosted on single IP addresses that can be identified relatively easily, either by pinging the target URL and making note of the IP address returned or by a careful examination of the reports available under the Webscreen 2.0 interface on the USO support site.

It should be noted that although the category “Host is an IP” can be allowed, this results in any https site becoming accessible.

Leave a Reply