Does your transparent proxy capture HTTPS or is it only applying to HTTP? Facebook and Twitter both primarily use HTTPS which doesn’t work with all proxy configurations.
You have to force the proxy on your users browser manualy or with GPO.
Transparent proxy does not work on HTTPS!
It looks like every week there are at least 5 overzealous network operators here that want to block block block…
And unfortunately none of them first check the replies to all the others about the difficulties / impossibilities.
I guess we need to setup a course “how to live with the reality of the open internet, for network operators”
somewhere so we can link to that whenever the question comes up 
+10000000000
Seriously, if people want to look at porn on your network they are going to.
My freshman year we got computers, the Internet was almost all HTTP based (unencrypted). Naturally the admin’s were blocking all kinds of stuff. What was the first thing us comp-sci students did? Find a way around it. We each put up a SSH server at our houses and ran Putty from a USB. This let us setup a SOCKS proxy to push requests through. That was in the early 2000’s between that trick and HTTPS there is very little admin’s can do even today to stop a slightly zealous user from viewing whatever they want. These is way easier now-adays. I can’t tell you how many people I’ve helped expose SSH on their Raspberry Pi’s to do exactly this when faced with stupidly oppressive firewall policies at work.
End of the day, get more bandwidth and trust your users to be normal people and browse responsibly.
My favorite question to ask when a customer asks about blocking web-sites like Facebook is if they ever go to it throughout the day. If they say they do, I ask them what they go on their for. Most of time at least a handful of the managers say they go on their to check on their kid’s. Things like if they got home from school ok or whatever. So I follow-up with, would it be ok if an employee did the same thing. Almost all of them say yes. I then ask, so we’re ok with leaving Facebook access unaffected? Boom, no more pain in the ass setup of a very pricey firewall that can MITM SSL.
The only viable answer is security of the endpoints that are browsing. If that’s truly a concern setup a guest network and make sure your users know it’s alright to browse on that. Then take a deny all approach on your “secure” side and literally only allow the very specific applications that are really truly needed. You’ll see efficiency drop because people will always be switching to the guest network to actually get things done.
A common approach now is to harden the DC with extremely strict firewall rules and in some cases only allow VPN or TLS based web app access in. If an end-user get’s compromised so what, the whole corporate access network is viewed to be as secure as the hotspot at Starbucks. Gone are the days of “trusting” the “LAN” if you ask me. Security is in layers and is a very complex problem to tackle. In my opinion their are far more important things we can do with our time than care if someone hops on Facebook. Manage your people on the work they do not if they were sitting at a desk for 8 hours and have a pulse.
The last thing I’ll leave you with, you may need to look at DNS based blocking from a provider like OpenDNS if you can’t install a device that MITM’s SSL.
Agreed. However, you also have the option to do DNS-based blocking yourself.
You can block facebook that way, but then at the same time you block all the “login using your facebook account” sites…
Blocking just isn’t the way to go. Tell your employees that they are at work to work and when they only play they will be fired.