2

Google app mail loads via http://mail.google.com/a/[domain] and gmail loads via http://mail.google.com/mail.

How can I block computers on my LAN from accessing gmail urls but at the same time permit accessing google apps mail urls?

I can modify settings on the router (including changing it to dd-wrt if required), configure a server on the network (e.g. to add a squid proxy), and make local changes on individual computers (we have both Macs and PCs). However, any local changes that you suggest should be fairly difficult for a user to bypass or else the solution won't hold.

Thanks.

SQwe
  • 41
  • 1
  • 1
  • 4

3 Answers3

4

Unless you set up a proxy to perform a man-in-the-middle attack on HTTPS connections, then there doesn't seem to be a good way to do this. The reason is that, for every device not part of the transaction, the only information known is that the user is accessing mail.google.com on port 443.

Hyppy
  • 15,458
  • 1
  • 37
  • 59
2

Google app mail loads via http://mail.google.com/a/[domain] and gmail loads via http://mail.google.com/mail.

That was the case in the past, but is not the case any more with the new unified infrastructure they're moving to. If your Google Apps domain is still using the /a/ location, it will be moving in the next couple of weeks to the new infrastructure.

Going forward, gmail and all Google Apps domains will use the same /mail/ structure.

To answer your question, though, there is going to be no way to do this. It'll need to be tackled from an HR/policy point of view.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Yes, I see that the URLs are now becoming the same. Still, it should still be possible with a man-in-the-middle proxy that analyzes the pages and blocks if it finds a @gmail.com address at the top right. – SQwe May 18 '11 at 17:18
  • 2
    @SQwe - that's not going to work with SSL, though, which I hope you have force-enabled on your domain. – EEAA May 18 '11 at 17:20
  • Why wouldn't it? The documentation of the SSL man-in-the-middle attacks note that it will cause merely a browser warning of an apparently invalid certificate. Are there any other caveats I should be aware of before diving into this? Something specific that google does to prevent this on their services? – SQwe May 18 '11 at 23:40
  • 4
    Configuring a proxy to intercept SSL traffic frankly, is bad policy. It's training users to think that clicking "okay" on an invalid cert is a perfectly acceptable thing to do. – EEAA May 19 '11 at 03:25
1

Google now provide instructions on how to achieve this in their help pages at "Block access to consumer accounts".

Essentially it boils down to having a web proxy that can intercept SSL, then setting it to add an http header X-GoogApps-Allowed-Domains on all requests to google.com

Andy Madge
  • 1,547
  • 2
  • 12
  • 14