Allowing Google Apps email, but blocking Gmail

[cbsc]

We have set up a Google Apps account for our school, and are planning on making use of the email app.

Historically, all external email is blocked on our firewall and by the Local Authority. However we will need to loosen these restrictions to allow https://mail.google.com

However we would like the ability to still block non-school related Gmail accounts. Is this possible?

You can specify a custom URL for users to access the Google Apps email - e.g. https://mail.domain.com However when users browse to this URL, they are redirected to the URL https://mail.google.com/mail/?shva=1#inbox which doesn't include any references to the domain. I have tried logging in with a standard gmail account, and it also redirects you to the same URL.

Any advice would be appreciated!

[tom_newton]

I believe it is doable - but you need the whole URL and as such will need some form of HTTPS interception type malarkey.

[cbsc]

Hi Tom,

I've just sent you an email. We use Smoothwall already, but were informed that it was not possible by your support.

[OB1]

Hi there.

The below should allow the googlemail domain of your choosing and block everything else.

Add the following regular expression to the category that blocks gmail, under 'URL Patterns'

gausr=(\w+\.?)+.*(?!your.domain.here)

Remove 'mail.google.com' from the list of blocked domains. Though this will allow the login page to be loaded, it should only be possible to use your school gmail.

You will need https inspection enabled for this to work.

If you have any further queries please don't hesitate to get in touch.

[Sheridan]

Hmm I've just tried to do this with our gmail and smoothwall but it still lets students login with any gmail. Theres no other way around this though is there as you have to have mail.google.com whitelisted - which in effect allows all gmail accounts?

[tom_newton]

@Sheridan, which Guardian version you on? Also I think OB may have mangled his regex and not updated it on here

[Sheridan]

According to the main screen we're on "Network Guardian 2008p0 final series-7.0 i386"

Webmail is blocked for all users using the Webmail category so I don't think theres a way around this? Plus we blocked HTTPS for students unless specifically whitelisted.

Whitelisting the url http://mail.google.com/a/ourdoman.org.uk doesn't work unless mail.google.com is whitelisted as well, which of course allows full access to all of Gmail.


Edit: Looks like this can't be done. In the same way as the OP, ours redirects immediately to mail.google.com and the domain name never appears in the URL or the logs so theres no way of identifying our gmail site from a user's personal one.

[OB1]

@Sheridan, which Guardian version you on? Also I think OB may have mangled his regex and not updated it on here

The regex works, though may not be optimal. I suspect mail.google.com is whitelisted above the regex trying to catch it, therefore the whitelist rule is taking precedence. To combine this with blocking other webmail, the rules need to be in this order:

Blocking regex (see below for tweaked version)
Allow rule for mail.google.com
Block rule for all other webmail.

@ Sheridan, I've tested this on the same version you're running. It doesn't matter whats above, below or between them as long as they're in that order.

(gausr).*%(40|2540)(?!your\.domain\.here)

(Don't forget to escape your dots in the domain name)

Hope this helps.

[Sheridan]

I must be missing a trick here? In our smoothwall policy the Allow rules are automatically put before the Blocking rules so I can't specify the order that you've shown above?

[OB1]

I must be missing a trick here? In our smoothwall policy the Allow rules are automatically put before the Blocking rules so I can't specify the order that you've shown above?

Are you on Guardian 2 or Guardian 3?

[tom_newton]

2 it seems - hard to tell from the version, as that's the base software version. If rules are being "ordered" automatically though, thats G2.

[Sheridan]

I'm guessing its G2? Its been in use a couple of years with only updates added as they appear.

Not sure how to tell if its G2/3 version though.

Edit: How do I upgrade to G3 is thats the way around this?

[OB1]

PM either myself or Tom your customer details and we'll have a chat.

[Sheridan]

Ah, is this not a normal update then?

[tom_newton]

It's a bit of an overhaul of Guardian, lots of cool new stuff, but migrating will take a bit of thinking. Have a look at Kanal von SmoothWallTV - YouTube there are some intro videos on there.