Block access to consumer / Personal Gmail accounts

 

Block access to consumer / Personal Gmail accounts

Short answer:

To block access to some Google accounts and services while allowing access to your managed Google accounts (such as G Suite or Cloud Identity), you need a web proxy server that can perform SSL interception and insert HTTP headers.
As an administrator, you may want to prevent users from signing in to Google services using any accounts other than the accounts you provided them with. For example, you may not want them to use their personal Gmail accounts or a managed Google account from another domain.
A common means of blocking access to web services is using a web proxy server to filter traffic directed at particular URLs. This approach won’t work in this case, because legitimate traffic from a user’s managed Google account goes to the same URL as the traffic you want to block.
To only allow users to access Google services using specific Google accounts from your domain, you need the web proxy server to add a header to all traffic directed to google.com; the header identifies the domains whose users can access Google services. Since most traffic through your Google service is encrypted, your proxy server also needs to support SSL interception. (See below for a list of proxy servers known to support both SSL interception and HTTP header insertion.)
To prevent users from signing in to Google services using Google accounts other than those you explicitly specify:
<![if !supportLists]>1.      <![endif]>Route all traffic outbound to google.com through your web proxy server(s).
<![if !supportLists]>2.      <![endif]>Enable SSL interception on the proxy server.

Since you will be intercepting SSL requests, you will need to configure every client device to trust your SSL proxy by deploying the Internal Root Certificate Authority used by the proxy and marking it as trusted.
<![if !supportLists]>3.      <![endif]>For each google.com request:

a. Intercept the request.

b. Add the HTTP header X-GoogApps-Allowed-Domains, whose value is a comma-separated list with allowed domain name(s). Include the domain you registered with G Suite and any secondary domains you might have added.

For example, to allow users to sign in using accounts ending @altostrat.com and tenorstrat.com, create a header with the name X-GoogApps-Allowed-Domains and this value:
altostrat.com, tenorstrat.com
You may also want to create a proxy policy to prevent users from inserting their own headers.

Users attempting to access Google services from an unauthorized account will see a web page describing the unavailable service, the unauthorized account they're using, the domains where the service is unavailable, and a suggestion that they contact a network administrator for more information and sign out of their unauthorized account and sign in with an authorized account.
Note: This approach blocks sign-in access to Google consumer services other than Google Search, but does not necessarily prohibit anonymous access.
Google does not maintain a list of blocked services. If a particular service requires login, access will be blocked. Services which do not require authentication, such as Google Search and YouTube will not be blocked.

Specific configuration instructions provided by proxy server providers

        Barracuda Networks
  Symantec
        McAfee
        Websense

Comments

Post a Comment

Popular posts from this blog

How to install XIbo?

Image
How to install Xibo on Windows 10 64 bit What is Xibo? XIbo is open source signage software, Xibo Digital Signage is a low-cost, high performance solution to launch your business, workplace or organisation into the future. Xibo doesn’t just replicate print media, but actively increases engagement allowing you to deliver your message more effectively than ever before What is  Digital signage?  Digital signage is a sub-segment of electronic signage. Digital displays use technologies such as LCD, LED, projection and e-paper to display digital images, video, web pages, weather data, restaurant menus, or text.  Wikipedia How to install Xibo on Windows 10. It is very easy to install the Xibo on windows 10 x64 bit os with docker. Below is the step to install the Xibo. ð   Step 1.   Download the docker for windows 10 x64,  Link to download Docker ð   Step 2. Install the Docker. Double-click  Docker for Windows Installer  to run the installer
Read more

How to install - Snipe-IT, Free IT Asset manager software

Image
 Snipe-IT, IT Free Asset manager Software. S nipe-IT was made for IT asset management, to enable IT departments to track who has which laptop, when it was purchased, which software licenses and accessories. Pre-requisite 1) Wamp Webserver - Download Link 2)  composer  - Download Link Step 1.  Install Composer 2) Install Wamp  create database snipeit; show databases; Create user snipe_user; grant all on snipeit.* to 'snipe_user' @ 'localhost' identified by 'password123' ; Extract and configure Snipe-IT and run composer https://snipeitapp.com/download Download and exact Snipe-IT to c:\wamp\www\snipe-it. Edit  .env.example See the  Configuration  options for more information on how to configure your Snipe-IT installation. Save your edited  env.example  as  .env Open command prompt then change directory to  c:\wamp\www\snipe-it\ . Then ru
Read more

Get information about SSL protocols

Image
  Get the information about the SSL version using and strength by utilizting the SSL Disagnos SSL Diagnos is used to test SSL strength; Get information about SSL protocols (pct, ssl2, ssl3, tls, dtls) and cipher suites. It can also be used for testing and rating ciphers on SSL clients. It has also specific support for pop3s, sip, smtp and explicit ftps. Tests for heartbleed (including dtls). Furthermore a separate tool, SSLPressure, not using openssl can be used to check the whole spectrum of possible SSL protocols on a server. Can also be used for testing ssl for mssql-servers (was added since nessus did not support this) and contains mitm poc for stripping ssl from mssql-connections. Features SSL scanner including rating of SSL cipher suite strength for server and clients Test SSL strength in for example https, smtp, sip, pop3s, ftps Can be used for OWASP-CM-001 Uses OpenSSL to test ssl2, ssl3, tls, dtls, explicit ftps Tests renegotiation and availability
Read more