Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1792 Views 6 Replies Latest reply: Feb 8, 2013 9:56 AM by frankm RSS
jboren Newcomer 4 posts since
Dec 4, 2012
Currently Being Moderated

Dec 4, 2012 5:24 PM

SaaS Setup with Google Apps for Business (Outbound Servers)

Hi Everyone,

 

I have just completed my setup of McAfee SaaS E-Mail Protection with Outbound Filtering (Encryption) and had some unusual setup issues. The biggest problem is that there is no easy way to list the Google e-mail servers in the outbound server setup. When in the McAfee setup for outbound e-mail servers, you must list all IP addresses (or a range using CIDR notation with a maximum size of /24) that send mail. Therefore, it became necessary to contact google to inquire about their IP addresses. Google does not release their IP addresses, but suggest that you query their SPF records (see: http://support.google.com/a/bin/answer.py?hl=en&answer=60764). When speaking to two separate representatives at Google, this was also their suggestion (they informed me that google regularly changes their IP Address range).

 

Of course, there is no way to include an SPF record in the McAfee setup so that McAfee inherits the IP address range from the google record. So, I simply queried the record, with the following results (_netblocks.google.com):

 

v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16

 


Notice the CIDR notation for these ranges, which include on the high end (the most IP addresses) of /16 and the low end (the fewest IP addresses) of /20. This means that there are 256 subnets that need to be reported when entering the /16 CIDR ranges in McAfee, as McAfee accepts a maximum of /24 (256 IP address). For instance, 173.194.0.0/16 equals 173.194.0.0 - 173.194.255.255. A /24 would include only the 256 IP address in a particular range. Therefore, to enter this block into McAfee, I had to enter the following:

 

173.194.0.0/24

173.194.1.0/24

173.194.2.0/24 ... all the way to 173.194.255.0/24

 

There is no easy way to do this. When looking at the number of potential IP address ranges for each of the blocks that google has in the SPF records, you can imagine that this took some time. I also had to make sure and enforce TLS for each of the servers, as our setup is using outbound encryption. The problem is that google could use (according to the google technicians) any of these potential IP address ranges for outbound mail and they tend to query the mail server with one IP and then send with another...all at random (I have a hard time believing that it's entirely random and google uses a particular subnet, but that's just my suspicion).

 

Once I added all 800 entries (if you look at the list above, there are 800 individual entries that needed to be made), I realized that if Google decides to update their SPF record to include (or amend, append, or replace) a new block, I would have to go back to the list in McAfee and update. So, I would like to pose the following suggestion:

 

1. Is it possible to add a way for McAfee to query an SPF record and then inhereit the blocks from that record?

2. If not, can we at least get a broader range of CIDR notations allowed in McAfee? Perhaps at the /16 level on the high end?

 

Thanks!

  • Kevin Petre Newcomer 1 posts since
    Dec 5, 2012

    @jboren,

     

    I feel for you and I think there should be an easier way to implement such services.  GAFB has a huge set of ranges along with other services whether they be hand developed or otherwise.  Clustering is becoming the Cloud based standard and with that comes big ranges to whitelist.  If adding the 800 entries wasn't enough, your point of SPF verification, in my opinion, would be a huge asset.  Or they could simply allow the more broad CIDR ranges for GAFB or whatever it is. 

     

    I will be watching this closely as our company is a partner and do resell GAFB. In some sense from a Partner perspectiv, this is kind of a bummer being that, though as you've shown not impossible, limits who anyone can resell this to.

     

    Hopefully we will see an intelligible response from McAfee on how to from a Partner or even administrator stand point, make implementing this easier. 

  • kwidhalm McAfee Mentor 21 posts since
    Nov 2, 2012

    Hello jboren, thank you for sharing concerns and suggestions.  I would like to encourage you to contact support to further discuss this and to open an enhancement request.  All enhancement requests are reviewed and analyzed by our product development team for possible inclusion in future releases.  While we cannot guarantee that all requests will be implemented, we take each request under consideration.  We are constantly looking for ways to improve our products, and customer suggestions play a big role in that process.

     

    Thank you again,

     

    Karen


    Karen Widhalm

    System Support Specialist

    SaaS Email and Web Security
    McAfee.Part of Intel Security.





  • pm_nate McAfee Employee 17 posts since
    Dec 6, 2012

    Jboren,

     

    First, let me say that you are a trooper for entering in all those CIDR blocks /24 at a time. Wow,

     

    Second and more importantly, we're currently working on official Google Apps and Office 365 support for the service for release in first half of 2013 (medium confidence). What this will mean is better documentation on how to use the services together, but also a shortcut for entering in those CIDR blocks in the outbound server config. I'm not able to say exactly what that will look like in the UI, but it will be very easy to get that data loaded into the system.

     

     

    Nate

    Senior Product Manager, Email Security

     

    And the legal bit...

    The information contained in this post is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtractfeatures or functionality, or modify its products, at its sole discretion,without notice and without incurring further obligations.

  • pm_nate McAfee Employee 17 posts since
    Dec 6, 2012

    Justin,

     

    Just an update: Happy to reveal that on Monday Feb 11 we will be releasing one-click support for outbound relay through SaaS Email Protection from Office 365 and Google Apps for Business. We will be tracking changes to their IP space for our customers so no need to worry about ongoing maintenence!

     

     

     

    gafb_365_support.png

     

    Nate

     

    Notice: The information contained herein is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.

  • frankm Apprentice 62 posts since
    Jan 10, 2013

    Looking forward to more information on the integration of Google Apps with McAfee SaaS, especially archiving and encryption.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points