Hi,

Hope you are doing well.

Request header:-

:authority: accounts.google.com
:method: GET
:path: /ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
referer: https://mail.google.com/mail/u/0/
sec-fetch-mode: navigate
sec-fetch-site: same-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
x-chrome-connected: mode=0,enable_account_consistency=false,consistency_enabled_by_default=false
x-chrome-id-consistency-request: version=1,client_id=77185425430.apps.googleusercontent.com,device_id=73300007-257e-4017-bdd6-46d66e379f7d,sync_account_id=101765331579103537331,signin_mode=all_accounts,signout_mode=show_confirmation
x-client-data: CJS2yQEIo7bJAQjEtskBCKmdygEI4qjKAQjLrsoBCM6wygEI57HKAQj3tMoBGKukygE=

referer: https://mail.google.com/mail/u/0/

So say you are doing SSL Scanning on MWG and need to allow accounts.google.com while login into gmail only.

You already have a rule to block accounts.google.com.

You can create 2 rules as below in order to allow accounts.google.com while login into gmail only

First rule use below criteria:-

(Command.Name equals CONNECT or Command.Name equals CERTVERIFY) AND URL.host equals accounts.google.com   and  set action as Stop Rule Set/ Stop Cycle accordingly.

Second rule will use below criteria:-

URL matches *accounts.google.com/*mail.google.com*  and  set action as Stop Rule Set/ Stop Cycle accordingly.

You can also make use of  Referer field.

Second Rule will be URL matches *https://accounts.google.com/ServiceLogin*  AND Header.Request.Get(Referer) matches *mail.google.com*

Regards

Alok Sarda

Wow, thanks!

I will give this a go as soon as I get the opportunity, will probably then be back with questions if I can't get it working!

Hi,

Yes you can make use of Referer field as mentioned in my last reply.

You first need to allow CONNECT and CERTVERIFY for accounts.google.com, so that SSL is done successfully  and thus after this you can see GET/POST request flowing inside SSL channel.

So in general accounts.google.com will still be getting blocked in the GET/POST  request being received by MWG not having referrer as mail.google.com

Regards

Alok Sarda

Could I do all of this within the same rule?

So I am thinking of the following::

Application.Name is in list Gmail

OR

Header.Request.Get(String) matches https://mail.google.com/*

AND

Authentication.UserGroups contains <Gmail AD Group Name>

Would that work?  (As a reminder I am trying to allow a specific Gmail AD Group to access Gmail and block it as a Webmail Category for everyone else)

Any requirement now to make any reference to accounts.google.com?

Also when I select the Header.Request.Get property, there is a drop-down box at the bottom right that says 'parameters'.  I have the option of putting a parameter value there.  Do I need to do that?  I've already specified the mail.google.com URL in the criteria section of this rule.  I am confused as to what value this parameter requires.  Please can you advise?

thanks!

Hi everyone

I tried configuring gmail as outlined using the referrer header and it didn't work - my test user in the gmail AD group was then blocked.  I will try and upload a picture to illustrate what I configured as I probably did it wrong! 

I notice there were property parameter options for the Header Name but I left it blank:

Should I have put something in here?

This is what I originally had configured which worked but required a custom category that included accounts.google.com:

Any thoughts and guidance would be hugely appreciated

Oh yes LOL i knew it would be something simple, many thanks!