cancel
Showing results for 
Search instead for 
Did you mean: 

Application Control configuration

Jump to solution

Hi all

I am new to MWG so forgive me if this is a really stupid question!  My customer is looking to allow specific cloud storage and webmail URLs such as gmail and Onedrive for a small subset of AD users.  I've configured this right now with custom categories (eg *mail.google.com* & *gmail.com* for Gmail) but it's been suggested that using Application Controls might be a more effective and less maintenance-heavy approach, particularly for Onedrive which requires dozens of URLs unless you just super-set them to *microsoft.com* etc. 

I have never configured Application Control before and am wondering if there is a best practise guide to doing it, since the admin guide doesn't have much to say about it.  I specifically would like to know what the difference is between the Application.Name and the Application.ToString.  I know the official answer is this:

Type

Type of property

Description

Application.Name

Applcontrol

This property contains the application name of the current request

Application.ToString

String

Converts an application control value to string

 

...but this is still meaningless to me.  Please can someone give me a more human explanation? 

Which one works best?  Which one should I use to control usage of things like Onedrive, gmail and icloud?

I googled MWG App Control and found this clip:  https://www.youtube.com/watch?v=uDxZFKYFX5E but he seems to be manually typing the App name into the configuration - why would you do that when you can browse through the whole list of applications and select the one you want, to avoid potential typos?  There must be a good reason as he clearly knows the product very well.  Please can someone explain?

A step by step guide to configuring Application Control, if one exists, would be hugely appreciated along with answers to one or all of my questions.

thanks in advance!

2 Solutions

Accepted Solutions
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 32

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well.

 

You should create a rule based on criteria Application.Name.

 

We have an application named Gmail, Microsoft OneDrive, Microsoft OneDrive For Business, iCloud.

 

You can create a rule using criteria Application.Name is in list and add all the above mentioned applications and then configure the action to the rule accordingly.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

View solution in original post

Reliable Contributor AaronT
Reliable Contributor
Report Inappropriate Content
Message 30 of 32

Re: Application Control configuration

Jump to solution
31 Replies
McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 2 of 32

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well.

 

You should create a rule based on criteria Application.Name.

 

We have an application named Gmail, Microsoft OneDrive, Microsoft OneDrive For Business, iCloud.

 

You can create a rule using criteria Application.Name is in list and add all the above mentioned applications and then configure the action to the rule accordingly.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

View solution in original post

Re: Application Control configuration

Jump to solution

Thank you, you have exactly answered my question, I am very grateful! 🙂

Re: Application Control configuration

Jump to solution

Hello, I have another question about this.  I have configured a Gmail rule using the Gmail application Control, and the MWG is not picking up that accounts.google.com is Gmail.  I have had to add a custom URL category to my rule but I was hoping to avoid having to do that.  Do you have any advice?

many thanks

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 5 of 32

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well. 

 

accounts.google.com  URL gets categorized under Application name as Google.

 

Attaching screenshot for reference.

 

Regards

Alok Sarda

Highlighted

Re: Application Control configuration

Jump to solution

Hi Alok

Thanks for the reply

So the problem with this is, my customer wants to allow Gmail for a specific Gmail AD group only.  Further down in this new Application Control ruleset is a catchall rule which blocks the URL category of webmail for everyone else. (This seemed to me to be the best way of doing it but if you can think of a better way I would love to hear it!)

So when the user in the Gmail AD group tries to navigate to gmail.com, the first URL requested by the browser, according to Rule Tracing Central, is accounts.google.com.  The MWG misses this as being part of the gmail application, but recognises it as being a webmail URL, and the user is blocked when he should be allowed.

I am wondering if this is a problem with the Application Control categorisation, or if I am doing something wrong!!

McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 7 of 32

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well.

mail.google.com and gmail.com are successfully getting categorized under Gmail application.

 

I am checking internally at my end regarding Application categorization for accounts.google.com.

 

Meanwhile you can allow accounts.google.com using criteria URL.host or any  other URL related property  for the specific Gmail AD group.

 

Please refer below link for the same:-

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-URL-related-Properties/ta-p/5540...

 

 

Regards

Alok Sarda

Reliable Contributor AaronT
Reliable Contributor
Report Inappropriate Content
Message 8 of 32

Re: Application Control configuration

Jump to solution

 Add that as a condition of the rule.  Here's the dilemma:

accounts.google.com is used to login to all Google properties - not just gmail.  If you have SSL inspection enabled, you will notice that its has the Google property in the URL (below is an example - the property being logged into is bolded):

https://accounts.google.com/CheckCookie?hl=en&checkedDomains=youtube&checkConnection=youtube%3A612%3...

 

In this case the URL is categorized as Blogs/Wiki, because it has blogger.com.  If you see one with youtube.com, it will be streaming media, similarly, the gmail login will be categorized as Web Mail.

 

This domain has caused us headaches in rules, which is likely why it isn't in the application rule.  We use this domain with our corresponding domain rules to ensure things work

 

Also note, client6.google.com (I think that's the domain) is used with Google Docs/Drive, but not in the application rule also.  Just a heads-up.

Re: Application Control configuration

Jump to solution

Hi

How would I add that as a condition of the rule?

The specific URL that is being blocked by the URL rule as webmail is this:

https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.go...

So obviously you can see that within the URL, mail.google.com is featured.  Is there a way to add this into a custom URL category?  Currently my custom URL category consists of:

*mail.google.com*

*gmail.com*

*accounts.google.com* 

which is not ideal!

Thanks in advance

Reliable Contributor AaronT
Reliable Contributor
Report Inappropriate Content
Message 10 of 32

Re: Application Control configuration

Jump to solution
Why not make rule that uses the Gmail application OR the accounts.google.com in it? That's the cleanest solution.
Want to Ask a Question?
Many members like to perform a search first in case other customers have already asked and answered a similar question. However, to ask a question, first select a forum then click on Post a Topic. You must sign in or log in with your existing credentials.

McAfee Service Portal customers please use your existing username and password to log into the community.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community