beautypg.com

Ssl inspection, Blocking access to google consumer services – Google Networking Best Practices for Large Deployments User Manual

Page 26

background image

26

Networking Best Practices for Large Deployments

return "DIRECT";

// All other URI requests should be routed through the proxy.

else

return "PROXY corporateproxy.domain.com:8080";

More examples for developing a proxy PAC file can be found on the external website

FindProxyForURL

.

Proxy PAC file testing

Implementing a functional proxy PAC file requires careful testing. Use a PAC file testing tool
like

pactester

to test different JavaScript functions. A PAC file tester will allow you to pass a

hostname and URI and see which path the browser will take given your PAC file. Download

pactester

from the

Google Code pactest project site

.

SSL Inspection

Avoid SSL inspection if possible. SSL inspection is effectively an SSL “man in the middle
attack” on your own users to examine the contents of HTTPS traffic. With SSL terminations,
your users connect to a proxy as an end point. The proxy then terminates the SSL connection
and inspects traffic, then establishes new a connection to the destination server forwarding the
traffic. This can cause a significant increase of load on traditional proxies that perform these
operations in software, rather than a network appliance.

There are many commercial appliance vendors as well as many software proxy servers that
can perform SSL inspection. Typically this requires additional proxy configuration.

Each proxy server SSL Inspection setup is different, but the typical steps are as follows:

1. Self-sign an SSL Certificate with an internal hostname, such as

mail.example.com

.

2. Install the

mail.example.com

certificate on the proxy server.

3. Write custom proxy rules. For instance, rewrite connections from

https://

mail.example.com/

to

https://mail.google.com/a/example.com/

.

4. Reject connections with a Host header that contains

mail.google.com

.

Note:

Some proxies will allow you to keep the hostname the same, and use a built-in

certificate. This requires that the user’s browser trust the certificate, or users will
receive a certificate error. For information on how to resolve these problems related to
SSL inspection, consult your proxy server vendor and documentation.

Blocking Access to Google Consumer Services

As an administrator, you might want to prevent users on your network from signing in to a
Google service using a consumer account instead of the Google Apps account you provided
them with. For example, you may not want them to use their personal Gmail accounts. In
addition, you might also want to prevent users from signing in to a Google Apps account from
another domain.

See also other documents in the category Google Software: