That's what I've done. But as you pointed out, because that URL is used for all google properties, this rule will affect other sites like youtube.com.
Would the URL.ParametersString property be any use here?
Hi,
Hope you are doing well.
Request header:-
:authority: accounts.google.com
:method: GET
:path: /ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1<mpl=default<mplcache=2&emr=1&osid=1
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
referer: https://mail.google.com/mail/u/0/
sec-fetch-mode: navigate
sec-fetch-site: same-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
x-chrome-connected: mode=0,enable_account_consistency=false,consistency_enabled_by_default=false
x-chrome-id-consistency-request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=73300007-257e-4017-bdd6-46d66e379f7d,sync_account_id=101765331579103537331,signin_mode=all_accounts,signout_mode=show_confirmation
x-client-data: CJS2yQEIo7bJAQjEtskBCKmdygEI4qjKAQjLrsoBCM6wygEI57HKAQj3tMoBGKukygE=
referer: https://mail.google.com/mail/u/0/
So say you are doing SSL Scanning on MWG and need to allow accounts.google.com while login into gmail only.
You already have a rule to block accounts.google.com.
You can create 2 rules as below in order to allow accounts.google.com while login into gmail only
First rule use below criteria:-
(Command.Name equals CONNECT or Command.Name equals CERTVERIFY) AND URL.host equals accounts.google.com and set action as Stop Rule Set/ Stop Cycle accordingly.
Second rule will use below criteria:-
URL matches *accounts.google.com/*mail.google.com* and set action as Stop Rule Set/ Stop Cycle accordingly.
You can also make use of Referer field.
Second Rule will be URL matches *https://accounts.google.com/ServiceLogin* AND Header.Request.Get(Referer) matches *mail.google.com*
Regards
Alok Sarda
Wow, thanks!
I will give this a go as soon as I get the opportunity, will probably then be back with questions if I can't get it working!
Hi,
Yes you can make use of Referer field as mentioned in my last reply.
You first need to allow CONNECT and CERTVERIFY for accounts.google.com, so that SSL is done successfully and thus after this you can see GET/POST request flowing inside SSL channel.
So in general accounts.google.com will still be getting blocked in the GET/POST request being received by MWG not having referrer as mail.google.com
Regards
Alok Sarda
Could I do all of this within the same rule?
So I am thinking of the following::
Application.Name is in list Gmail
OR
Header.Request.Get(String) matches https://mail.google.com/*
AND
Authentication.UserGroups contains <Gmail AD Group Name>
Would that work? (As a reminder I am trying to allow a specific Gmail AD Group to access Gmail and block it as a Webmail Category for everyone else)
Any requirement now to make any reference to accounts.google.com?
Also when I select the Header.Request.Get property, there is a drop-down box at the bottom right that says 'parameters'. I have the option of putting a parameter value there. Do I need to do that? I've already specified the mail.google.com URL in the criteria section of this rule. I am confused as to what value this parameter requires. Please can you advise?
thanks!
Hi everyone
I tried configuring gmail as outlined using the referrer header and it didn't work - my test user in the gmail AD group was then blocked. I will try and upload a picture to illustrate what I configured as I probably did it wrong!
I notice there were property parameter options for the Header Name but I left it blank:
Should I have put something in here?
This is what I originally had configured which worked but required a custom category that included accounts.google.com:
Any thoughts and guidance would be hugely appreciated
Oh yes LOL i knew it would be something simple, many thanks!
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA