7 Replies Latest reply on Apr 25, 2017 2:04 PM by cburgman

    One Drive Personal Read Only Rule

    cburgman

      I am in the process of creating a Read Only rule for Personal Network Storage sites.  I have hit a bit of a brick wall with regards to One Drive Personal.  When doing a rule trace I do not see any connections to anything pertaining to an upload.  We use OneDrive for Business so I need to be careful not to restrict access to that.

       

      My current approach involves searching the header for any identifies of upload activity as well as blocking sites that explicitly use upload in the URL.  This approach doesnt seem to work with One Drive.

       

      Has anyone been able to successfully create a Read Only rule for One Drive personal?

        • 1. Re: One Drive Personal Read Only Rule
          johnaldridge

          Traditionally, you would expect to see either independent POST requests, or a POST inside a TLS CONNECT tunnel.  And, this may not be to the host you were seeing for establishing the One Drive session.

           

          Are you doing SSL/TLS inspection/interception?

          • 2. Re: One Drive Personal Read Only Rule
            cburgman

            Yes we are doing SSL Inspections.  I do see POSTS but not during the actual file upload process.

            • 3. Re: One Drive Personal Read Only Rule
              johnaldridge

              I just realized, I've seen rule traces of large downloads in which trickling and progress pages are enabled, and you see a response cycle for each scanned chunk.  I imagine that this must also be the case for POST's, only it would be multiple request cycles. 

               

              Is the opener or trickling enabled for those POST's?

              1 of 1 people found this helpful
              • 4. Re: One Drive Personal Read Only Rule
                cburgman

                So i am seeing POSTS now.  Looks like an over site on my partPost.png

                • 5. Re: One Drive Personal Read Only Rule
                  cburgman

                  post2.pngI see the POST in the browser but the corresponding rule trace on the proxy is showing a CONNECT.

                  • 6. Re: One Drive Personal Read Only Rule
                    johnaldridge

                    Looks like you're bypassing you're bypassing your SSL inspection rules (for O365?), which means you can't seen any POST that might exist within that CONNECT.

                     

                    One thing about rule tracing on SSL inspection (and there are some weird quirks), The rule trace entries that do not end in a slash are a CONNECT, which will have two requests before the response, the first being the CONNECT, the second being the CERTVERIFY.  Any GET or POST (or HEAD, etc) inside that HTTPS CONNECT tunnel will appear as subsequent rule trace entries--and they will at least have a slash at the end (if not more of a path).  The only way that I know of to relate those subsequent lines, and there can be many, is that the host name is exactly the same (it has to match, no choice).  But, if you see multiple CONNECT's before the GET's and POST's (etc.) you won't know which one is in which tunnel (unless there's some kind of id somewhere that I don't know about).

                    1 of 1 people found this helpful
                    • 7. Re: One Drive Personal Read Only Rule
                      cburgman

                      You are correct... This block is above the SSL inspection which explains why i do not see any of the POSTS and only see CONNECTS.  This presents an interesting problem seeing that onedrive.live,com (personal one drive) is is the McAfee subscribed lists for O365.  As you can see we whitelist O365 URLs.