Control Google Apps access with ProxySG

book

Article ID: 165614

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Control which Google Apps domains users can access. Allow users to go to Corporate Google Apps only, and not their personal or non-work related Google Apps.

Resolution

This article describes how to achieve that control with a ProxySG solution.  Further information on this option from Google's perspective can be located by clicking here.

This solution requires the SSL license on the ProxySG.

Google has added a header that can be used to control the domains accessing Google Apps from the ProxySG and ASG appliances.
This header can be used to allow Enterprise Google Apps users to access their corporate domains but block access to consumer Gmail/Google Apps.
By including the header X-GoogApps-Allowed-Domains in Google-bound requests and whitelisting specific domains, Google Enterprise Apps are allowing users to authenticate to Google services using their [email protected] Google login.

If a user tries to log in to their personal Gmail account they will be unable to authenticate and would not be able to access those services. 
 
The policy to limit access for Google Apps and steps below assume that the default policy is "Allow" and therefore no additional rules are required to permit the traffic.
For details on how to configure SSL interception see Configure the ProxySG for SSL Interception and Authentication using an SSL certificate issued from a Microsoft PKI server.

1. SSL Proxy

Depending on how traffic is getting to the ProxySG, the exact method for handling SSL traffic will differ.

  • Explicit Proxy: If users' browsers are explicitly configured to connect to the ProxySG, then the Explicit HTTP service must be modified to enable the Detect Protocol option. This will cause the HTTP service to determine the appropriate protocol proxy for the traffic and hand it off for processing. In this case, that traffic will be SSL.


     
  • Transparent Proxy: If HTTPS traffic is being transparently proxied (possibly via WCCP or physically in-path), then the HTTPS service must be set to Intercept and the Proxy must be set to SSL

2. VPM Policy

In the Visual Policy Manager, we need to create a policy to intercept SSL traffic and then add the Google-specific header.

  1. From the VPM Policy menu, select Add SSL Intercept Layer.
  2. Add a rule.
  3. In the Action column of the new rule, right-click and select Set.
  4. Click New and select Enable HTTPS Interception.
  5. Modify the name if desired and click OK.
  6. Click OK. 


      
  7. From the Policy menu, select Add Web Access Layer.
  8. Modify the layer name to include GoogleApps.
  9. Add a rule.
  10. Right-click the Destination column for the new rule and click Set.
  11. Click New and select Request URL Object.
  12. In the Simple Match URL, enter google.com.


     
  13. Click Add and Close.
  14. Click OK.
  15. In the Action column of the new rule, right-click and select Set.
  16. Click New and Control Request Header.
  17. Modify the name to include GoogleApps.
  18. Set the Header Name to X-GoogApps-Allowed-Domains. Enter your enterprise domains in the Set value field. If multiple domains are required, enter the domains separated by commas. (companya.com, company.com, companyc.com). 


     
  19. Click OK and OK.
  20. Click Install policy.

Attachments