cancel
Showing results for 
Search instead for 
Did you mean: 
iburke
Level 7

GMail being blocked as "common name mismatch"

Can someone let me know how to allow staff to type in gmail.com in their browser and not get the attached "common name mismatch" error?  I imagine it is simple, but I am pretty inexperienced with the MWG policy editing.  I am able to get it to work if I simply add gmail.com to the global whitelist, but that is not an ideal solution.   Thanks.

0 Kudos
6 Replies
philiprey
Level 10

Re: GMail being blocked as "common name mismatch"

Hi iburke,

It is better if you use a bypass rule with a "Stop Rule Set" action for gmail.com in the Certification Verification ruleset rather than using the global whitelist.

Default global whitelist uses Stop Cycle action which stops the checking of the traffic against the other rules.

This means it bypasses your DLP ruleset, AV scanning, among others. But this is also a temporary workaround. You must divulge more unto why you receive the CN error.

Regards,
Philip

0 Kudos
btlyric
Level 12

Re: GMail being blocked as "common name mismatch"

Haven't tested this, but what if you added a rule something like this?

Criteria: URL.Host.BelongsToDomains (gmail.com) equals true

Action: Continue

Events: Set URL.Host = "mail.google.com"

When someone puts www.gmail.com into their web browser, MWG would change that to mail.google.com before you reach certificate verification so the certificate CN should then match.

This would need to go above the certificate verification rules in the SSL Scanner rule set.

0 Kudos
agentdr8
Level 7

Re: GMail being blocked as "common name mismatch"

Having this same issue too. We're on the 7.4.2 beta (to address a different, although similar issue), so it might be something that needs to go back to Engineering.

I tried the rule suggested by btlyric above, but it sent the browser into a loop. Seems that www.gmail.com is a CNAME for mail.google.com, but the MWG doesn't like that the cert presented isn't the one that is initially requested.

Will see what PS has to say about this.

0 Kudos
McAfee Employee

Re: GMail being blocked as "common name mismatch"

If you have an SR # let me know what it is.

Best,

Jon

0 Kudos
agentdr8
Level 7

Re: GMail being blocked as "common name mismatch"

4-5694582383

0 Kudos
McAfee Employee

Re: GMail being blocked as "common name mismatch"

We're thinking this could be MCP or WinXp related. Does anyone else match this criteria?

Best,

Jon

0 Kudos