cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
irene14
Level 7
Report Inappropriate Content
Message 1 of 6

URL categorised differently from trusted source

URL https://www.icloud.com/mail is categorised as Web Mail on TrustedSource, but error on Internal proxy is categorising it as "Personal Network Storage, Interactive Web Applications". Changing the category on Extended list does not fix the issue as the site is still being blocked. We need to only allow icloud.com/mail and not the whole icloud.com site. Thanks.
5 Replies
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: URL categorised differently from trusted source

Hi,

Hope you are doing well.

 

URL https://www.icloud.com is categorized under categories - Personal Network Storage and Interactive Web Applications.

URL https://www.icloud.com/mail is categorized under category Web Mail.

 

As this is  an explicit proxy setup first request MWG will receive is a CONNECT request with URL.host www.icloud.com  which will be categorized under category Personal Network Storage and Interactive Web Applications.

 

If SSL Scanner is enabled on device then only MWG will be able to see the GET request https://www.icloud.com/mail flowing inside SSL channel.

 

If SSL Scanner is enabled on MWG then you can create a rule as per screenshot attached to achieve your requirement and place the rule below SSL Scanner rule set.

 

1.When working without SSL scanner you will need to keep the following things in mind;

      • After the “CONNECT” occurs, the data will be encrypted.
      • The “CONNECT” only contains destination host and not the full URL (and very few other headers that can be read).
      • The Steps below do NOT apply to setups without SSL Scanner. Without SSL Scanner, only hosts, not full URLs can be whitelisted

 

2. When working with SSL scanner you will need to keep the following things in mind;

      • The “CONNECT” only contains destination host and not the full URL (and very few other headers that can be read).
      • If the CONNECT is blocked, the full URL will never be visible to the web gateway
      • If the CONNECT is NOT blocked, the traffic will be decrypted on the Web Gateway and at this time, the full url will visible.
      • When using the SSL Scanner, there are going to be two different “Request” Cycles that will need to occur;
        • One for command.name equals CONNECT
        • One for command.name equals CERTVERIFY

 

 

Please refer below link for more information on this:-

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Considerations-when-Whitelisting-Blacklisting-...

 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

irene14
Level 7
Report Inappropriate Content
Message 3 of 6

Re: URL categorised differently from trusted source

Thanks for your reply, Alok.

We have SSL scanner enabled and tested your suggested solution on our end, and while we can access https://www.icloud.com/mail, we kept on being prompted with authentication. Also, we need to maintain the categorisation - https://www.icloud.com/mail as web mail and https://www.icloud.com

as Personal Network Storage, this is because we have separate allow group for them.

Thank you,

aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: URL categorised differently from trusted source

Hi,

Thanks for the  update here, so after making suggested configuration you are able to achieve your requirement but now seeing authentication issue.

 

Please refer below for some info on auth issues with iCloud:-

 

https://kc.mcafee.com/corporate/index?page=content&id=KB83686&locale=en_US

 

As you can maintain the categorisation - https://www.icloud.com/mail as web mail and https://www.icloud.com as Personal Network Storage.

 

You need to make sure CONNECT and CERTVERIFY request for www.icloud.com is allowed, so that once SSL part is successfully one, MWG can see GET request for both www.icloud.com and www.icloud.com/mail  and accordingly take filtering decision.

 

If the initial CONNECT request for URL.host www.icloud.com gets blocked then SSL inspection part will not be done and thus MWG cannot see the request for www.icloud.com/mail 

 

Regards

Alok Sarda

 

 

irene14
Level 7
Report Inappropriate Content
Message 5 of 6

Re: URL categorised differently from trusted source

Hi Alok,

 

Tried and tested the solution you provided, and while we can access icloud/mail (which shouldn't be the case - only those with web mail access should have access to the URL), we are now getting the default "Block" message when accessing icloud.com.

Just to be clear - we want to open www.icloud.com/mail to users with access to web mail (already existing rule) and www.icloud.com to remain as a personal storage network.

Do we need to move the rule below the URL filtering?

Thanks

 

aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: URL categorised differently from trusted source

Hi,

Hope you are doing well.

 

You can give criteria to this rule for a particular authentication group for something for which you want to get this rule applied.

 

I suggest you can open a service request with support and ping the SR number so we can have a quick remote session if required and get this sorted.

 

Regards

Alok Sarda

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community