Allow only Facebook at Work via the ProxySG and Deny Access to Standard Facebook

book

Article ID: 169167

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Facebook at Work is a new service from Facebook designed to allow colleagues in organizations to collaborate and network in a similar way to how Facebook users interact in ordinary Facebook:

https://work.fb.com/

This article describes how to allow your users access to your corporate Facebook at Work social network, while preventing them from accessing their standard Facebook account
 

Cause

You will need to block most Facebook requests, but allow requests to your corporate page:

company.facebook.com

As well as several other background domains necessary to display content from Facebook

Resolution

SSL interception: This is a prerequisite and essential for controlling Facebook traffic as it is almost exclusively served in HTTPS. 


Policy to be implemented:
Here is some sample policy which according to testing allows Facebook at work for your Facebook at Work page (e.g. company.facebook.com), but blocks other facebook.com requests:

1) Using CPL policy:

<proxy> 
ALLOW condition=fbatwork 
DENY url.domain=facebook.com 

define condition fbatwork 
url.domain=fbcdn.net 
url.domain=company.facebook.com (where company is your company name) 
url.host.regex=chat.facebook.com 
end 

For details about how to install CPL, have a look at this KB article:

How do I add CPL to a local policy file on the ProxySG?

2) Using VPM:

a) Create a new Web Access layer
b) Create a first rule: Source: Any (or a user or group, as you wish) Destination: New > Combined Destination Object > New URL and then add each of these URLs, one at a time:

fbcdn.net 
company.facebook.com
chat.facebook.com 

With this policy, you should be able to open company.facebook.com but you will be denied opening facebook.com