beautypg.com

Filtering google apps traffic through a proxy, Proxy pac file configuration – Google Networking Best Practices for Large Deployments User Manual

Page 25

background image

Network Configuration

25

Content Inspection

Avoid content inspection on your proxy server. When Google Apps is configured to run over
HTTPS, which is common and recommended, proxy servers cannot inspect content or restrict
access without a special proxy configuration.

Filtering Google Apps traffic through a Proxy

The vast majority of traffic originating from your users to Google Apps servers consists of
HTTPS transactions. This type of traffic is preferred because it is secure and reliable. Although
interruption of traffic to Google Apps for filtering is possible, it can decrease security and
reduce the overall experience for your users.

Keep the following considerations in mind when planning to filter HTTPS traffic to Google
Apps.

In browsers and protocols that support the Server Name Identifier (SNI) extension to TLS,
you will see the request for the hostname in the initial HELLO from the client in your proxy
logs. A list of those browsers is available on the following page in

Wikipedia

. Consult your

browser documentation to learn about SNI support.

In older browsers and SSL versions that do not support the Server Name Identifier (SNI)
extension to TLS, you will not see the request for the hostname in the initial HELLO from
the client in your proxy logs. In this case, your users usually see a certificate mismatch
error because of the virtual hosting nature of Google Apps and similar web services. Be
sure to use a browser that supports the Server Name Identifier extension for TLS.

After the initial HELLO request between the client/server and once the TLS connection is
established, all traffic is encrypted including the URI path after the hostname.

If you need to filter your users’ traffic, there are two recommended ways to accomplish this:

Filter your users traffic with a proxy PAC file at the browser level prior to encryption is
easier and less costly to implement. See “Proxy PAC file configuration” on page 25.

Perform SSL interception and inspection after the encryption is more secure but is more
difficult and costly to implement. See “SSL Inspection” on page 26.

Proxy PAC file configuration

A Proxy PAC file is a cost-effective way to filter traffic because URI and IPv4 evaluation is
performed on the client machine prior to encryption.

A proxy PAC file is a set of JavaScript commands that the browser uses to evaluate against
the URI requests received from the user.

The following sample script includes code to test if a URI matches the format

https://

*.google.com/*

.

// If the URI matches https://*.google.com/* then route traffic

// directly to the Internet.

if (isPlainHostName(host) ||

shExpMatch(url,"https://*.google.com/*") ||

See also other documents in the category Google Software: