Monitor uri filtering – Google Networking Best Practices for Large Deployments User Manual
Page 27
Network Configuration
27
A common means of blocking access to web services is using a web proxy server to filter
traffic directed at particular URIs or hostnames. This approach is ineffective in this case
because all the URIs accessed between consumer and Google Apps accounts are the same.
To only allow users to access Google services using specific Google accounts from your
domain, you need the web proxy server to add an HTTP header to all traffic directed to
*google.com
; the header identifies the domains whose users can access Google services.
Since most Google Apps traffic is encrypted, your proxy server also needs to support SSL
interception. (See
for a list of proxy servers known to support both SSL
interception and HTTP header insertion.)
To prevent users from signing in to Google services using Google accounts other than those
you explicitly specify:
1. Route all traffic outbound to
google.com
through your web proxy server(s).
2. Enable SSL interception on the proxy server.
Since you will be intercepting SSL requests, you will probably want to manage client
certificates on every device using the proxy, so that the user’s browser does not issue
warnings for the requests.
3. For each
google.com
request:
a. Intercept the request.
b. Add the HTTP header
X-GoogApps-Allowed-Domains
, whose value is a comma-
separated list with allowed domain name(s). Include the domain you registered with
Google Apps and any secondary domains you might have added.
For example, to allow users to sign in using accounts ending
@altostrat.com
and
tenorstrat.com
, create the following header with the domain names you want to allow:
X-GoogApps-Allowed-Domains = altostrat.com,tenorstrat.com
4. Optionally, create a proxy policy to prevent users from inserting their own headers.
Monitor URI Filtering
Avoid URI filtering with SSL inspection if possible. If you are using URI filtering, set up a policy
to monitor URIs in proxy logs. Look for any URIs that were incorrectly blocked or allowed.
These changes in the accessed URIs can cause Google Apps to load partially, slowly, or not at
all. To avoid problems with URI filtering, if you are filtering your proxy servers, set up a policy
for constant monitoring of your proxy load, and be prepared to adjust the rules if necessary.
To help discover what these new URIs might be, test new Google Apps features or services in
a test environment before allowing their use in production. To help with this you can install a