We have security policy to block category Personal Storage (Goodle Drive and Google Docs).
Is there way to allow specific Google Docs site/user ?
I have tried to whitelist URL match *docs.google.com/a/tacr.cz/file/*
but it does not work as expected ie. to allow specific GD user but block all others.
Is there any list of needed hosts for Google Docs ? Any idea hot to solve this ?
I was about to post a similar question, so I'll tag along with this post and hope to get an answer.
What I've noticed is that even though the full request is https://docs.google.com/forms/d/[long string of junk here]/viewform, all URL properties only return docs.google.com. The problem in my case is that I don't want to open all of Google Docs. I just want to allow a particular form. This has worked great in the past for whitelisting specific youtube videos based on matching a string in the URL, but it doesn't seem to work here. I'm thinking it might be because the initial connect request goes to docs.google.com due to SSL. The get request for the specific form/page doesn't occur until after the connection is established.
Are there any other properties that I'm missing that I might be able to match against? Looks like the same answer would also solve the question posted above as well.
The most important thing to remember is that you have to do Content Inspection for any of this to work. Without it, as Trevor has indicated, you only have the host available for filtering and the rest of the URL & URL Path is encrypted inside the tunnel. See https://community.mcafee.com/docs/DOC-4810
Once you have Content Inspection enabled, the access.log is going to be a good way to troubleshoot this. Start by creating your basic exceptions for URL and then check the access.log after each unsuccessful attempt to load the page and look for any URLs that have a status code of 403 (blocked) to determine the additional URLs or Hosts that need to be allowed.
-Patrickon 9/17/13 6:56:11 PM CDT
We have already content inspection + SSL Scaner in place.
The strange is the in access.log the session is blocked by category block rule even there is whitelist rule before category block. The Allow rule is:
Stop ruleset (Content filter) if URL matches in list. In the list I use several URLs:
as criteria. Such urls seems to be needed for GD viewer components and images.
This should solve loadbalancer as https://1.docs.google.com/a/tacr.cz/file/* etc.
But this combination still does not work. Looking in linked document, I will need to add CERTVERIFY command condition in rule.
I will give a try.
thx.Message was edited by: lubomir.cerny on 9/18/13 8:31:38 AM CEST
Rule engine traces could be very helpful in determining why your whitelists are potentially not matching. Feel free to upload to our ftp server and let me know the filenames if you want me to take a look.
I have no luck during ftp transfer. I can see no folders on ftp using credentials from document on any listed ftp servers.
It seems that connection will not stop on specific rule. Please, can you look at trace files + access.log ? I uploaded this to my portal http://www.lcerny.cz/ke-stazeni/ostatni/google-docs-debug/download.html
There should be some issue in SSL scaner. Specific rule can match host but no URL path even I have CONNECT and CERTVERIFY condition as described by your first document 😞
Big. thxMessage was edited by: lubomir.cerny on 9/27/13 8:33:24 AM CEST
Our ftp servers do not support directory listings but you can still upload files by manually switching directories to the incoming folder.
I see in the traces that you have a rule set called "Allow specific Google Docs site" in which you have some criteria:
-'Command.Name equals CONNECT' which evaluates to TRUE
-'URL matches in list UNP Google Docs Allowed Sites" which evaluabes to FALSE
When in the connect phase, you do not have the full URL. Your browser sends over "CONNECT docs.google.com HTTP/1.1". Therefore, you can only match on the URL "https://docs.google.com" or the URL.Host "docs.google.com" when in the CONNECT cycle. This is why your list entries to not match. You then eventually get blocked by the "Block Prohibited Categories" rule set while still in the CONNECT cycle.
There are two important pieces things that you need in order to break in to the SSL Tunnel to see the URL
1) Set the Client Context
2) Enable Content Inspection
You do not need to to Certificate Verification but that is part of the criteria on the Content Inspect rule in the default SSL Scanner Rule Set.
I can't see the rest of your rules as Rule Engine Traces only show me pieces of your policy if the critieria matches.
Easiest solution if you can't get it to work by using only the two rules above - import the SSL Scanner rule set > give it critieria so that it only applies to URL.Host equals docs.google.com (if you don't want global ssl scanning). Then whitelist your individual URLs in your policy, after the ssl scanner rule set, with a Stop Cycle action so that they don't fall down to the category block rule set.
If you still have trouble, I think the next course of action would be to open a support case with a feedback file so that we have your full policy available and can make more specific recommendations based on your rule sets.
Allowing the CONNECT and CERTVERIFY commands exclusively for that host prior to checking against the URL filter did the trick. Hopefully Lubomir is able to produce the same results after a bit of work with the rule set.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center