Loading...

Knowledge Center


Web Gateway: How to configure Web Gateway to control access to Google consumer services
Technical Articles ID:  KB72538
Last Modified:  01/30/2013
Rated:


Environment

McAfee Web Gateway 7.x
McAfee Web Gateway 6.x

Summary

Google has made is possible to control access to consumer Google mail, while allowing access specifically to corporate Google mail services. This article describes how to configure Web Gateway to facilitate this access.

You can control allowed domains by the insertion or manipulation of the following custom header:
X-GoogApps-Allowed-Domains

Insertion of this header notifies the Google Mail login services of the domains that the user is able to access via this proxy.

For example, to allow access to only the unixlabs.net or unix.com domains the header would contain the following definition:
X-GoogApps-Allowed-Domains: unixlabs.net, unix.com

Creating this definition would allow access only to Google mail domains that contain @unixlabs.net or @unix.com addresses, and would restrict access to @gmail.com addresses as this is not explicitly listed.

Solution

NOTE: As the Google login service utilizes a secure SSL connection for authentication, for the Google Mail domain control to work correctly, SSL Scanner rules must be enabled on the Web Gateway.

To configure Web Gateway so users cannot access consumer Google Mail services, but can access corporate Google Mail services via the proxy, create a rule to add the specific header required for the Google Mail service:
  1. Create a new rule:


     
  2. Add criteria to trigger the header insertion only for .google.com sites:

     
     
  3. Select Continue for the Action as we do not wish to block the request, but simply perform a modification that will be performed in the Event step.
     

     
  4. Create two Event rules to configure the allowed domains. The Google authentication service is looking for the header  X-GoogApps-Allowed-Domains to instruct the service the permitted domains via this proxy.
    1. Add an Event rule to remove any existing header that has been inserted by the end user to bypass Google controls:

      Select Header.Removeall (string) as the Event, and click Parameters.



      In the Property Parameters dialog, enter the Value X-GoogApps-Allowed-Domains.


       
    2. Add an Event rule to add the correct header with the allowed domains.

      Select Header.Add (String, String) as the Event and click Parameters. (Header.AddMultiple can also be used if you have many domains that you would like to manage in a separate list.)



      In the Property Parameters dialog, configure the Header Name to be: X-GoogApps-Allowed-Domains and set the Value to your organization's Google domain, in this example, "unixlabs.net".



      Click OK twice. You should now have an Event configuration similar to the below.


       
  5. Select Finish. Your rule should look similar to below:


     
  6. Test and validate your configuration.
Now users should not be able to access consumer Google Mail services, but should be able to access the corporate Google Mail services via the proxy.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.