1 2 Previous Next 13 Replies Latest reply on Oct 14, 2013 2:27 AM by lubomir.cerny

    Partly allow Google Docs ?

    lubomir.cerny

      Hi folks.

      We have security policy to block category Personal Storage (Goodle Drive and Google Docs).

      Is there way to allow specific Google Docs site/user ?

       

      I have tried to whitelist URL match  *docs.google.com/a/tacr.cz/file/*

      but it does not work as expected ie. to allow specific GD user but block all others.

       

      https://docs.google.
      com/a/tacr.cz/file

       

      Is there any list of needed hosts for Google Docs ? Any idea hot to solve this ?

       

      thx.

        • 1. Re: Partly allow Google Docs ?
          trevorw2000

          I was about to post a similar question, so I'll tag along with this post and hope to get an answer.

           

          What I've noticed is that even though the full request is https://docs.google.com/forms/d/[long string of junk here]/viewform, all URL properties only return docs.google.com.  The problem in my case is that I don't want to open all of Google Docs.  I just want to allow a particular form.  This has worked great in the past for whitelisting specific youtube videos based on matching a string in the URL, but it doesn't seem to work here.  I'm thinking it might be because the initial connect request goes to docs.google.com due to SSL.  The get request for the specific form/page doesn't occur until after the connection is established.

           

          Are there any other properties that I'm missing that I might be able to match against?  Looks like the same answer would also solve the question posted above as well.

           

          Thanks!

          • 2. Re: Partly allow Google Docs ?
            pbrickey

            Greetings,

             

            The most important thing to remember is that you have to do Content Inspection for any of this to work. Without it, as Trevor has indicated, you only have the host available for filtering and the rest of the URL & URL Path is encrypted inside the tunnel. See https://community.mcafee.com/docs/DOC-4810

             

            Once you have Content Inspection enabled, the access.log is going to be a good way to troubleshoot this. Start by creating your basic exceptions for URL and then check the access.log after each unsuccessful attempt to load the page and look for any URLs that have a status code of 403 (blocked) to determine the additional URLs or Hosts that need to be allowed.

             

            -Patrick

             

            on 9/17/13 6:56:11 PM CDT
            1 of 1 people found this helpful
            • 3. Re: Partly allow Google Docs ?
              lubomir.cerny

              Hi pbrickey

               

              We have already content inspection + SSL Scaner in place.

              The strange is the in access.log the session is blocked by category block rule even there is whitelist rule before category block. The Allow rule is:

              Stop ruleset (Content filter) if URL matches in list. In the list I use several URLs:

               

              *docs.google.com/a/tacr.cz/file/*

              *docs.google.com/viewer?*

              *.gstatic.com/*

              *apis.google.com/*

               

              as criteria. Such urls seems to be needed for GD viewer components and images.

               

              This should solve loadbalancer as https://1.docs.google.com/a/tacr.cz/file/* etc.

               

              But this combination still does not work. Looking in linked document, I will need to add CERTVERIFY command condition in rule.

              I will give a try.

               

              thx.

               

               

              Message was edited by: lubomir.cerny on 9/18/13 8:31:38 AM CEST
              • 4. Re: Partly allow Google Docs ?
                pbrickey

                Greetings,

                 

                Rule engine traces could be very helpful in determining why your whitelists are potentially not matching. Feel free to upload to our ftp server and let me know the filenames if you want me to take a look.

                 

                -Patrick

                • 5. Re: Partly allow Google Docs ?
                  lubomir.cerny

                   

                  Hi.

                  How / where can I upload trace file ? What is requested ftp server address ?

                  • 6. Re: Partly allow Google Docs ?
                    cryptochrome

                    Shouldn't we be able to use the new Application Filter feature for this? Oh wait... it contains applications but no application functions yet. SCNR

                    • 7. Re: Partly allow Google Docs ?
                      pbrickey

                      Hi Lubomir,

                       

                      Here's the link with info about our ftp servers and instructions:

                       

                      https://community.mcafee.com/docs/DOC-2402

                       

                      -Patrick

                      • 8. Re: Partly allow Google Docs ?
                        trevorw2000

                        Thanks Patrick.

                         

                        Allowing the CONNECT and CERTVERIFY commands exclusively for that host prior to checking against the URL filter did the trick.  Hopefully Lubomir is able to produce the same results after a bit of work with the rule set.

                         

                        Trevor

                        • 9. Re: Partly allow Google Docs ?
                          lubomir.cerny

                          Hi Patrik,

                          I have no luck during ftp transfer. I can see no folders on ftp using credentials from document on any listed ftp servers.

                          It seems that connection will not stop on specific rule. Please, can you look at trace files + access.log ? I uploaded this to my portal http://www.lcerny.cz/ke-stazeni/ostatni/google-docs-debug/download.html

                           

                          There should be some issue in SSL scaner. Specific rule can match host but no URL path even I have CONNECT and CERTVERIFY condition as described by your first document :-(

                           

                          Big. thx

                           

                           

                          Message was edited by: lubomir.cerny on 9/27/13 8:33:24 AM CEST
                          1 2 Previous Next