Blocking Google+ or personal Gmail accounts, but not Apps for Education accounts

[localzuk]

We use Google Apps for Education at our school, and it has started to trickle out that people can use their personal gmail accounts and use Google+, which is obviously not a favorable thing to be happening in school.

 

So, has anyone got any ideas how to prevent personal accounts from logging into gmail, or if not that, how to block google+ without disabling any other Google features?

[elsiegee40]

Google plus should be easily bockable as its URLs start with plus.google.com... you'll need to stop http and https.

 

I'm not sure you'd be able to block personal email accounts though

[OB1]

Hi.

 

Have a look at this post for how this currently works on smoothwall (we are working on a more streamlined solution).

 

What are you currently using for filtering?

[featured_spectre]

blocking *mail.google* and *plus.google* (Must have the * symbol so it blocks everything before, and everything after regardless) should do the trick for this. I found in my last place everyone was accessing it when they didn't need too, so blocking those 2 sorted that out.

[irsprint84]

I cheated and put plus.google.com in dns to point to 127.0.0.1

[FN-GM]

blocking *mail.google* and *plus.google* (Must have the * symbol so it blocks everything before, and everything after regardless) should do the trick for this. I found in my last place everyone was accessing it when they didn't need too, so blocking those 2 sorted that out.

 

Exactly we dont want to block everything, on the post is says he doesnt want google apps blocking.

 

@localzuk i think @tom_newton knows how to do it. I have tagged him so he should be along soon

[featured_spectre]

thats all well and good @irsprint84 but what about .de .ie .co.uk .fr. co.nz. au etc? doing the * method is far quicker

[featured_spectre]

Exactly we dont want to block everything, on the post is says he doesnt want google apps blocking.

 

@localzuk i think @tom_newton knows how to do it. I have tagged him so he should be along soon

 

It only blocks the portion of google that has mail.google or plus.google in the address bar...apps.google will work fine

[FN-GM]

It only blocks the portion of google that has mail.google or plus.google in the address bar...apps.google will work fine

 

But when you use the e-mail part in google apps it goes to mail.google.com. apps.google.com is only the site to promote the product.

[localzuk]

It only blocks the portion of google that has mail.google or plus.google in the address bar...apps.google will work fine

 

Google Mail is part of Apps, and we use it internally for all staff and students. So, blocking mail. would a big problem.

 

@tom_newton - we have a council provided netsweeper system doing our filtering at the moment.

[tom_newton]

You *may* be out of luck with netsweeper - afaik they support neither known method of limiting google accounts are you running your own proxy prior to netsweeper?

[localzuk]

You *may* be out of luck with netsweeper - afaik they support neither known method of limiting google accounts are you running your own proxy prior to netsweeper?

 

We have a proxy to plug in, but it is set up and managed by the council also.

[tom_newton]

Bad times. What is this local proxy?

[GrumbleDook]

You *may* be out of luck with netsweeper - afaik they support neither known method of limiting google accounts are you running your own proxy prior to netsweeper?

 

We asked the question recently and are going to sit down to work out some options of using NetSweeper and still allowing access to Google Apps for Edu whilst not opening up some of the other stuff. It truly is proving to be a minefield.

[localzuk]

Bad times. What is this local proxy?

 

Its a squid box, but we don't have any access to it.

[CyberNerd]

I just stumbled across this:

 

Block access to consumer accounts and services while allowing access to Google Apps for your organization - Google Apps Help

 

Short answer: To block access to some Google accounts and services while allowing access to your Google Apps accounts, you need a web proxy server that can perform SSL interception and insert HTTP headers.

As an administrator, you may want to prevent users from signing in to Google services using any accounts other than the accounts you provided them with. For example, you may not want them to use their personal Gmail accounts or a Google Apps account from another domain.

 

A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case, because legitimate traffic from a user’s Google Apps account goes to the same URL as the traffic you want to block.

 

To only allow users to access Google services using specific Google accounts from your domain, you need the web proxy server to add a header to all traffic directed to google.com; the header identifies the domains whose users can access Google services. Since most Google Apps traffic is encrypted, your proxy server also needs to support SSL interception. (See below for a list of proxy servers known to support both SSL interception and HTTP header insertion.)

 

To prevent users from signing in to Google services using Google accounts other than those you explicitly specify:

 

Route all traffic outbound to google.com through your web proxy server(s).

Enable SSL interception on the proxy server.

 

Since you will be intercepting SSL requests, you will probably want to manage client certificates on every device using the proxy, so that the user’s browser does not issue warnings for the requests.

For each google.com request:

 

a. Intercept the request.

 

b. Add the HTTP header X-GoogApps-Allowed-Domains, whose value is a comma-separated list with allowed domain name(s). Include the domain you registered with Google Apps and any secondary domains you might have added.

 

For example, to allow users to sign in using accounts ending @Altostrat.com and tenorstrat.com, create a header with the name X-GoogApps-Allowed-Domains and this value:

altostrat.com, tenorstrat.com

[tom_newton]

Indeed - that's the "other" way to do it. Still need an HTTPS intercepting filter though, and they are still not that common.

 

We plan to support this way RSN.

[LeMarchand]

I cheated and put plus.google.com in dns to point to 127.0.0.1

 

Please can someone explain in idiot steps how to do this (or point to a suitable tutorial)?

 

Have a similar problem. In our case, the filter (Websense) is controlled by the LEA who aren't willing/able to alter things their end. We need https://google.com generally available for Google Apps, but want any searches blocked as they bypass the enforced strict search. The instructions here say to do this:

 

To utilize the no SSL option for your network, configure the DNS entry for Google to be a CNAME for nosslsearch.google.com.

 

but I don't have a clue on how to do it!

 

My normal "cheat" way of blocking stuff (set it to "direct" rather than via the proxy) just doesn't seem to work

[justintjacob]

There are lot of free proxies available ,but as per google docs we need to add a custom header to every google request ( X-GoogApps-Allowed-Domains) to block consumer account

Block access to consumer accounts - Google Apps Help

 

The best simple method is using one small proxy called burp suit download it from its free version is enough for doing this

 

Download Burp Suite 1.5- Burp Suite is an integrated platform for performing security testing of web... - SPIDERSOFT - Download Free Softwares and drivers

 

the detailed installation and configuration is found

 

COMPUTECH » Block access to consumer gmail accounts but allow google apps

 

in a small organisation its better to use and effective