Knowledge Center

How to configure Web Gateway to control access to Google consumer services
Technical Articles ID:   KB72538
Last Modified:  8/22/2019


McAfee Web Gateway (MWG)


Google has made it possible to control access to consumer Google Mail, while allowing access specifically to corporate Google Mail services. This article describes how to configure Web Gateway to facilitate this access.

You can control allowed domains by the insertion or manipulation of the following custom header:

Insertion of this header notifies the Google Mail logon services of the domains that the user can access using this proxy.

For example, to allow access to only the unixlabs.net or unix.com domains, the header would contain the following definition:
X-GoogApps-Allowed-Domains: unixlabs.net, unix.com

Creating this definition would allow access only to Google Mail domains that contain @unixlabs.net or @unix.com addresses, and would restrict access to @gmail.com address, which is not explicitly listed.


NOTE: The Google logon service uses a secure SSL connection for authentication. For the Google Mail domain control to work correctly, you must enable SSL Scanner rules on Web Gateway.

To configure Web Gateway so users cannot access consumer Google Mail services, but can access corporate Google Mail services using the proxy, create a rule. This rule adds the specific header required for the Google Mail service:
  1. Create a rule:

  2. Add criteria to trigger the header insertion only for .google.com sites:

  3. Select Continue for the Action. You do not want to block the request, but simply perform a change that will be performed in the Event step.

  4. Create two Event rules to configure the allowed domains. The Google authentication service is looking for the header X-GoogApps-Allowed-Domains to instruct the service the permitted domains using this proxy.
    1. Add an Event rule to remove any existing header that was inserted by the end user to bypass Google controls:

      Select Header.Removeall (string) as the Event, and click Parameters.

      In the Property Parameters dialog, enter the Value X-GoogApps-Allowed-Domains.

    2. Add an Event rule to add the correct header with the allowed domains.

      Select Header.Add (String, String) as the Event and click Parameters. (Or, you can use Header.AddMultiple if you have many domains that you would like to manage in a separate list.)

      In the Property Parameters dialog, configure the Header Name as X-GoogApps-Allowed-Domains and set the Value to your organization's Google domain. In this example, the domain is "unixlabs.net".

      Click OK twice. You should now have an Event configuration similar to the following.

  5. Click Finish. Your rule should look similar to:

  6. Test and validate your configuration.
Now users should not be able to access consumer Google Mail services, but should be able to access the corporate Google Mail services using the proxy.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.