cancel
Showing results for 
Search instead for 
Did you mean: 

One Drive Personal Read Only Rule

Jump to solution

I am in the process of creating a Read Only rule for Personal Network Storage sites.  I have hit a bit of a brick wall with regards to One Drive Personal.  When doing a rule trace I do not see any connections to anything pertaining to an upload.  We use OneDrive for Business so I need to be careful not to restrict access to that.

My current approach involves searching the header for any identifies of upload activity as well as blocking sites that explicitly use upload in the URL.  This approach doesnt seem to work with One Drive.

Has anyone been able to successfully create a Read Only rule for One Drive personal?

1 Solution

Accepted Solutions

Re: One Drive Personal Read Only Rule

Jump to solution

Looks like you're bypassing you're bypassing your SSL inspection rules (for O365?), which means you can't seen any POST that might exist within that CONNECT.

One thing about rule tracing on SSL inspection (and there are some weird quirks), The rule trace entries that do not end in a slash are a CONNECT, which will have two requests before the response, the first being the CONNECT, the second being the CERTVERIFY.  Any GET or POST (or HEAD, etc) inside that HTTPS CONNECT tunnel will appear as subsequent rule trace entries--and they will at least have a slash at the end (if not more of a path).  The only way that I know of to relate those subsequent lines, and there can be many, is that the host name is exactly the same (it has to match, no choice).  But, if you see multiple CONNECT's before the GET's and POST's (etc.) you won't know which one is in which tunnel (unless there's some kind of id somewhere that I don't know about).

7 Replies

Re: One Drive Personal Read Only Rule

Jump to solution

Traditionally, you would expect to see either independent POST requests, or a POST inside a TLS CONNECT tunnel.  And, this may not be to the host you were seeing for establishing the One Drive session.

Are you doing SSL/TLS inspection/interception?

Highlighted

Re: One Drive Personal Read Only Rule

Jump to solution

Yes we are doing SSL Inspections.  I do see POSTS but not during the actual file upload process.

Re: One Drive Personal Read Only Rule

Jump to solution

I just realized, I've seen rule traces of large downloads in which trickling and progress pages are enabled, and you see a response cycle for each scanned chunk.  I imagine that this must also be the case for POST's, only it would be multiple request cycles. 

Is the opener or trickling enabled for those POST's?

Re: One Drive Personal Read Only Rule

Jump to solution

So i am seeing POSTS now.  Looks like an over site on my partPost.png

Re: One Drive Personal Read Only Rule

Jump to solution

post2.pngI see the POST in the browser but the corresponding rule trace on the proxy is showing a CONNECT.

Re: One Drive Personal Read Only Rule

Jump to solution

Looks like you're bypassing you're bypassing your SSL inspection rules (for O365?), which means you can't seen any POST that might exist within that CONNECT.

One thing about rule tracing on SSL inspection (and there are some weird quirks), The rule trace entries that do not end in a slash are a CONNECT, which will have two requests before the response, the first being the CONNECT, the second being the CERTVERIFY.  Any GET or POST (or HEAD, etc) inside that HTTPS CONNECT tunnel will appear as subsequent rule trace entries--and they will at least have a slash at the end (if not more of a path).  The only way that I know of to relate those subsequent lines, and there can be many, is that the host name is exactly the same (it has to match, no choice).  But, if you see multiple CONNECT's before the GET's and POST's (etc.) you won't know which one is in which tunnel (unless there's some kind of id somewhere that I don't know about).

Re: One Drive Personal Read Only Rule

Jump to solution

You are correct... This block is above the SSL inspection which explains why i do not see any of the POSTS and only see CONNECTS.  This presents an interesting problem seeing that onedrive.live,com (personal one drive) is is the McAfee subscribed lists for O365.  As you can see we whitelist O365 URLs.

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.