cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 1 of 3

How Do I Create Tenant Restrictions for Slack and Box with MWG and WGCS?

Jump to solution

What if I would like to restrict Slack use to just my company's workspaces and restrict Box usage to just our corporate account?

2 Solutions

Accepted Solutions
Highlighted
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How Do I Create Tenant Restrictions for Slack and Box with MWG and WGCS?

Jump to solution

There are multiple ways to accomplish this with Slack via browser access. Use of the Slack app will likely bypass any rules as the app uses websockets, so if you want to implement tennant restrictions you probably need to disable use of the app, by blocking websockets. See here for Slack article on connection requirements and here for McAfee article on websockets. 

To allow Slack use of websockets through MWG you need to import the websockets ruleset into common and add the following Slack websocket sites to the whitelist: *.slack-msgs.com wss-primary.slack.com wss-backup.slack.com wss-mobile.slack.com

websocket.JPG

One way to implement tenant restrictions for Slack is strictly using URL filtering capabilities based on domain, host, and path. Note that this method does require HTTPS content scanning to be enabled for all Slack domains. 

Slack Tenant Restrictions Orig
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
1: URL.Host.BelongsToDomains(Slack Domains) equals true
Enabled Rule Action Events Comments
[✔] Enabled Allow Slack API Hosts
1: URL.Host is in list Slack API Hosts
Stop Rule Set    
[✔] Enabled Slack Tenant Restrictions
1: URL.Host does not match in list Slack Allowed Hosts / Workspaces
2: AND URL does not match in list Allowed Slack URLs
Block<URL Blocked>    

 

String
# Slack API Hosts  
  String Comment
1 api.slack.com  
# Slack Domains  
  String Comment
1 slack.com  
2 slack-edge.com  
Wildcard Expression
# Allowed Slack URLs  
  Wildcard Expression Comment
1 http*://slack.com/get-started* Generic Getting Started URL
2 http*://slack.com/signin* Generic Login URL
3 http*://slack.com/templates* Generic Template URL
4 http*://www.slack.com Generic Home Page URL
5 http*://www.slack.com/ Generic Home Page URL
6 http*://slack.com Generic Home Page URL
7 http*://slack.com/ Generic Home Page URL
8 http*://*slack-edge.com/*  
9 http*://*slack-edge.com  
10 http*://slack.com/api/*  
11 http*://slack.com/clog/*  
12 http*://go.slack.com/get-started*  
13 http*://go.slack.com  
14 http*://go.slack.com/  
15 http*://slack.com/*go-redir*  
16 http*://slack.com/your-workspaces*  
17 http*://join.slack.com/*  
18 http*://join.slack.com/  
19 http*://join.slack.com  
20 http*://slack.com/checkcookie*  
21 http*://slack.com/favicon.ico  
22 http*://wss-*.slack.com  
23 http*//wss-*.slack.com/*  
24 http*://slack.com/beacon/*  
25 http*://slack.com/signout/*  
26 http*://app.slack.com  
27 http*://app.slack.com/  
28 http*://slack.com/downloads/*  
29 http*://slack.com/ssb/*  
30 http*://downloads.slack-edge.com/*  
31 http*://app.slack.com/*/chillistore-mcafee/* Workspace chillistore-mcafee replace "chillistore-mcafee" with allowed workspace
32 http*://app.slack.com/*/mcafeedesign/* Workspace mcafeedesign replace "mcafeedesign" with allowed workspace
# Slack Allowed Hosts / Workspaces  
  Wildcard Expression Comment
1 mcafeedesign.*slack.com McAfee workspace (mcafeedesign) replace with allowed workspace name
2 chillistore-mcafee.*slack.com McAfee workspace (chillistore-mcafee) replace with allowed workspace name

 

Note that loose use of wildcards in host and URL creiteria is not an issue because we are already qualified to just the domain specified in the first criteria. That is, URL and host matches will only be evaluated if the host belongs to the specified domain in the first criteria. Without that qualification, you would not want to use *slack.com* because that also matches maliciousslack.com and slack.com.malicious.com.

McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: How Do I Create Tenant Restrictions for Slack and Box with MWG and WGCS?

Jump to solution

Actually I like this one better:

Use of the Slack app will likely bypass any rules as the app uses websockets, so if you want to implement tennant restrictions you probably need to disable use of the app, by blocking websockets. See here for Slack article on connection requirements and here for McAfee article on websockets. 

To allow Slack use of websockets through MWG you need to import the websockets ruleset into common and add the following Slack websocket sites to the whitelist: *.slack-msgs.com wss-primary.slack.com wss-backup.slack.com wss-mobile.slack.com

websocket.JPG

Note that this method does require HTTPS content scanning to be enabled for all Slack domains. 

Slack Tenant Restrictions New
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
1: URL.Host.BelongsToDomains(Slack Domains) equals true
Enabled Rule Action Events Comments
[✔] Enabled Allow Generic Slack Hosts and Generic Slack Host Domains
1: URL.Host is in list Generic Slack Hosts
2: OR URL.Host.BelongsToDomains(Generic Slack Host Domains) equals true
Stop Rule Set    
[✔] Enabled Allow Slack API Hosts
1: URL.Host is in list Slack API Hosts
Stop Rule Set    
[✔] Enabled Allow Workspace Specific Slack Hosts
1: URL.Host matches in list Workspace Specific Slack Hosts
Stop Rule Set    
[✔] Enabled Allow Workspace Path Qualified Slack Hosts
1: URL.Host is in list Workspace Path Qualified Slack Hosts
2: AND (URL.Path matches in list Allowed Slack Workspace Paths
3: OR URL.Path equals "")
Stop Rule Set    
[✔] Enabled Block All Other Slack Access
Always
Block<URL Blocked>    

 

String
# Generic Slack Host Domains  
  String Comment
1 slack-edge.com  
# Generic Slack Hosts  
  String Comment
1 www.slack.com  
2 slack-edge.com  
3 go.slack.com  
4 join.slack.com  
5 slack.com  
6 files.slack.com  
7 my.slack.com  
8 slack-msgs.com  
9 slack-files.com  
10 slack-imgs.com  
11 slack-core.com  
12 slack-redir.net  
13 edgeapi.slack.com  
14 wss-primary.slack.com  
15 wss-backup.slack.com  
16 wss-mobile.slack.com  
# Slack API Hosts  
  String Comment
1 api.slack.com  
# Slack Domains  
  String Comment
1 slack.com  
2 slack-edge.com  
# Workspace Path Qualified Slack Hosts  
  String Comment
1 app.slack.com  
Wildcard Expression
# Allowed Slack Workspace Paths  
  Wildcard Expression Comment
1 /*/chillistore-mcafee/* Workspace chillistore-mcafee replace "chillistore-mcafee" with allowed workspace
2 /*/mcafeedesign/* Workspace mcafeedesign replace "mcafeedesign" with allowed workspace
3 /  
# Workspace Specific Slack Hosts  
  Wildcard Expression Comment
1 mcafeedesign.*slack.com McAfee workspace (mcafeedesign) replace with allowed workspace name
2 chillistore-mcafee.*slack.com McAfee workspace (chillistore-mcafee) replace with allowed workspace name
3 ebelingtest.*slack.com  

This one is a little more easy to follow, should be easier to adjust and has shorter lists. 😉 

2 Replies
Highlighted
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How Do I Create Tenant Restrictions for Slack and Box with MWG and WGCS?

Jump to solution

There are multiple ways to accomplish this with Slack via browser access. Use of the Slack app will likely bypass any rules as the app uses websockets, so if you want to implement tennant restrictions you probably need to disable use of the app, by blocking websockets. See here for Slack article on connection requirements and here for McAfee article on websockets. 

To allow Slack use of websockets through MWG you need to import the websockets ruleset into common and add the following Slack websocket sites to the whitelist: *.slack-msgs.com wss-primary.slack.com wss-backup.slack.com wss-mobile.slack.com

websocket.JPG

One way to implement tenant restrictions for Slack is strictly using URL filtering capabilities based on domain, host, and path. Note that this method does require HTTPS content scanning to be enabled for all Slack domains. 

Slack Tenant Restrictions Orig
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
1: URL.Host.BelongsToDomains(Slack Domains) equals true
Enabled Rule Action Events Comments
[✔] Enabled Allow Slack API Hosts
1: URL.Host is in list Slack API Hosts
Stop Rule Set    
[✔] Enabled Slack Tenant Restrictions
1: URL.Host does not match in list Slack Allowed Hosts / Workspaces
2: AND URL does not match in list Allowed Slack URLs
Block<URL Blocked>    

 

String
# Slack API Hosts  
  String Comment
1 api.slack.com  
# Slack Domains  
  String Comment
1 slack.com  
2 slack-edge.com  
Wildcard Expression
# Allowed Slack URLs  
  Wildcard Expression Comment
1 http*://slack.com/get-started* Generic Getting Started URL
2 http*://slack.com/signin* Generic Login URL
3 http*://slack.com/templates* Generic Template URL
4 http*://www.slack.com Generic Home Page URL
5 http*://www.slack.com/ Generic Home Page URL
6 http*://slack.com Generic Home Page URL
7 http*://slack.com/ Generic Home Page URL
8 http*://*slack-edge.com/*  
9 http*://*slack-edge.com  
10 http*://slack.com/api/*  
11 http*://slack.com/clog/*  
12 http*://go.slack.com/get-started*  
13 http*://go.slack.com  
14 http*://go.slack.com/  
15 http*://slack.com/*go-redir*  
16 http*://slack.com/your-workspaces*  
17 http*://join.slack.com/*  
18 http*://join.slack.com/  
19 http*://join.slack.com  
20 http*://slack.com/checkcookie*  
21 http*://slack.com/favicon.ico  
22 http*://wss-*.slack.com  
23 http*//wss-*.slack.com/*  
24 http*://slack.com/beacon/*  
25 http*://slack.com/signout/*  
26 http*://app.slack.com  
27 http*://app.slack.com/  
28 http*://slack.com/downloads/*  
29 http*://slack.com/ssb/*  
30 http*://downloads.slack-edge.com/*  
31 http*://app.slack.com/*/chillistore-mcafee/* Workspace chillistore-mcafee replace "chillistore-mcafee" with allowed workspace
32 http*://app.slack.com/*/mcafeedesign/* Workspace mcafeedesign replace "mcafeedesign" with allowed workspace
# Slack Allowed Hosts / Workspaces  
  Wildcard Expression Comment
1 mcafeedesign.*slack.com McAfee workspace (mcafeedesign) replace with allowed workspace name
2 chillistore-mcafee.*slack.com McAfee workspace (chillistore-mcafee) replace with allowed workspace name

 

Note that loose use of wildcards in host and URL creiteria is not an issue because we are already qualified to just the domain specified in the first criteria. That is, URL and host matches will only be evaluated if the host belongs to the specified domain in the first criteria. Without that qualification, you would not want to use *slack.com* because that also matches maliciousslack.com and slack.com.malicious.com.

McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: How Do I Create Tenant Restrictions for Slack and Box with MWG and WGCS?

Jump to solution

Actually I like this one better:

Use of the Slack app will likely bypass any rules as the app uses websockets, so if you want to implement tennant restrictions you probably need to disable use of the app, by blocking websockets. See here for Slack article on connection requirements and here for McAfee article on websockets. 

To allow Slack use of websockets through MWG you need to import the websockets ruleset into common and add the following Slack websocket sites to the whitelist: *.slack-msgs.com wss-primary.slack.com wss-backup.slack.com wss-mobile.slack.com

websocket.JPG

Note that this method does require HTTPS content scanning to be enabled for all Slack domains. 

Slack Tenant Restrictions New
[✔] Enabled [✔] Enabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
1: URL.Host.BelongsToDomains(Slack Domains) equals true
Enabled Rule Action Events Comments
[✔] Enabled Allow Generic Slack Hosts and Generic Slack Host Domains
1: URL.Host is in list Generic Slack Hosts
2: OR URL.Host.BelongsToDomains(Generic Slack Host Domains) equals true
Stop Rule Set    
[✔] Enabled Allow Slack API Hosts
1: URL.Host is in list Slack API Hosts
Stop Rule Set    
[✔] Enabled Allow Workspace Specific Slack Hosts
1: URL.Host matches in list Workspace Specific Slack Hosts
Stop Rule Set    
[✔] Enabled Allow Workspace Path Qualified Slack Hosts
1: URL.Host is in list Workspace Path Qualified Slack Hosts
2: AND (URL.Path matches in list Allowed Slack Workspace Paths
3: OR URL.Path equals "")
Stop Rule Set    
[✔] Enabled Block All Other Slack Access
Always
Block<URL Blocked>    

 

String
# Generic Slack Host Domains  
  String Comment
1 slack-edge.com  
# Generic Slack Hosts  
  String Comment
1 www.slack.com  
2 slack-edge.com  
3 go.slack.com  
4 join.slack.com  
5 slack.com  
6 files.slack.com  
7 my.slack.com  
8 slack-msgs.com  
9 slack-files.com  
10 slack-imgs.com  
11 slack-core.com  
12 slack-redir.net  
13 edgeapi.slack.com  
14 wss-primary.slack.com  
15 wss-backup.slack.com  
16 wss-mobile.slack.com  
# Slack API Hosts  
  String Comment
1 api.slack.com  
# Slack Domains  
  String Comment
1 slack.com  
2 slack-edge.com  
# Workspace Path Qualified Slack Hosts  
  String Comment
1 app.slack.com  
Wildcard Expression
# Allowed Slack Workspace Paths  
  Wildcard Expression Comment
1 /*/chillistore-mcafee/* Workspace chillistore-mcafee replace "chillistore-mcafee" with allowed workspace
2 /*/mcafeedesign/* Workspace mcafeedesign replace "mcafeedesign" with allowed workspace
3 /  
# Workspace Specific Slack Hosts  
  Wildcard Expression Comment
1 mcafeedesign.*slack.com McAfee workspace (mcafeedesign) replace with allowed workspace name
2 chillistore-mcafee.*slack.com McAfee workspace (chillistore-mcafee) replace with allowed workspace name
3 ebelingtest.*slack.com  

This one is a little more easy to follow, should be easier to adjust and has shorter lists. 😉 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community