Allowing a single YouTube video through an Edge SWG (ProxySG)
search cancel

Allowing a single YouTube video through an Edge SWG (ProxySG)

book

Article ID: 165347

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Allow a single YouTube video through an Edge SWG (ProxySG)
My company does not allow YouTube or streaming media.  However, there is one video we want our users to view

Environment

Youtube.com defaults to HTTPS. As a result, for the solution to work, customer environment needs to meet the prerequisite:

1. SSL Intercept is enabled to intercept traffic.

2. Explicit Deployment: Detect Protocol is enabled to hand off the traffic to SSL Proxy

Resolution

The Edge SWG (ProxySG) can be configured to allow a single YouTube video to pass through the proxy while blocking all other YouTube content.  This policy can be created and placed into the local policy file.  For information on how to install the CPL policy into the local policy file, please see this article for information on how to install policy into the local policy file.  The following example uses a Blue Coat corporate video located at https://www.youtube.com/watch?v=snkEXxCwpMA

1. Locate the unique string in the YouTube URL https://www.youtube.com/watch?v=snkEXxCwpMA

    The unique string will be used in CPL in the video url is after  watch?v.
    If the url contains watch?v and &feature=  use the string between them. In our example, the string = snkEXxCwpMA

2. CPL

<proxy> 
condition=Youtube_Support allow url.domain=youtube.com condition=YoutubeVideo allow ; allow the specified youtube urls url.domain=googlevideo.com allow url.domain=youtube.com deny
<proxy>
url.domain=www.youtube.com http.method=CONNECT allow define condition Youtube_Support
url.domain=ytime.com url.domain=youtube.com url.path.prefix="/yts/" url.domain=youtube.com url.path.prefix="/youtubei/" url.domain=youtube.com url.path.prefix="/api/" url.domain=youtube.com url.path.prefix="/sw.js" url.domain=youtube.com url.path.prefix="/iframe_api" url.domain=youtube.com url.path.prefix="/embed/" url.domain=youtube.com url.path.prefix="/get_video_info"

url.domain=youtube.com url.path.prefix="/s/player/"
end
define condition YoutubeVideo
url.substring=snkEXxCwpMA
end

NOTE: To allow another youtube video, add a new line in the YouTubeVideo. 
For example, to allow youtube video https://www.youtube.com/watch?v=q-D50wpJdaM

define condition YoutubeVideo
    url.substring=snkEXxCwpMA
    url.substring=q-D50wpJdaM
end

In some cases, a YouTube video is embedded within another URL.  Assuming the URL hosting the embedded video is allowed by policy, but the video is denied based on your YouTube or streaming video deny rule, you can edit the above local policy slightly to allow the embedded video.

<proxy>
    condition=Youtube_Support          allow 
    url.substring=crossdomain.xml allow   ; Allow video to play from domain other than youtube.com
    url.domain=youtube.com condition=YoutubeVideo            allow   ; allow the specified youtube urls
    url.domain=googlevideo.com         allow 
    url.domain=youtube.com         deny


<proxy>
    url.domain=www.youtube.com http.method=CONNECT allow