Allied Telesis AR Series Technical Manual page 18

Feature Overview
In the case of HTTPS, if the server name indicator (SNI) is present in the TLS handshake exchange,
it is extracted and sent to the URL classifier engine for categorization. The SNI only includes the
hostname of the website, not the full path of the URL requested. If no SNI is present, the
categorization will be based on the destination IP address of the request.
The SNI field is contained within the Client Hello message supplied during the TLS handshake when
a client Web browser first attempts to access a secure HTTPS server website. The SNI information is
supplied in clear-text, and represents the domain part of the URL of the HTTPS request. The SNI
field is used by secure Web servers hosting multiple secure websites, and allows a Secure Web
server with a single public IP address to host multiple websites. It allows the Secure Web Server to
supply the correct digital certificate containing the correct domain name(s) to the requesting web
browser client, so that the negotiation of the encrypted connection to Website can proceed.
To categorize the website, the website classifier engine queries Digital Arts' constantly updated
Active Rating System (ARS) which contains about 100 pre-defined categories. The categorization
provider then returns the category of the website. The website classifier engine also queries the
custom static engine, which can be customized to suit individual business needs. The custom
categorization is used in preference to, and can, override Digital Arts categorization. This means if a
website matches match criteria from custom categories, then the website will not be sent for
categorization by Digital Arts.
Once the website has been categorized, the device can filter the website according to a set of rules
defined per category. The user is unable to visit the blocked website and will get a notification page
if the website is blocked. Conversely, the user can get the resulting page from the website if the
website is allowed.
Categorized websites are cached in the device. The device can check its local cache for a matching
website against the HTTP or HTTPS request passing through it.
The Web Control process operates by determining the URL to which a session is destined, and
consulting with a cloud-based server to check whether this URL may or may not be accessed.
If all of the traffic traversing the device consists of new HTTP 1.1 Get requests, and proxy-based
Web Control is enabled, then TCP connections need to be formed and proxied for each connection
request, and the URLs in the connection requests will be accumulated into bulk categorization
requests, and then sent off to the cloud-based URL categorization service.
And so various external factors, such as

latency of the Internet

response time of the categorization servers in the Cloud

processing of responses
will slow down the overall connections per second for traffic processed via this proxy service.
C613-22104-00 REV B
Advanced Network Protection
|
Web Control Page 18