cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rockchick_uk
Level 8
Report Inappropriate Content
Message 1 of 32
‎12-05-2019 11:51 AM

Application Control configuration

Jump to solution

Hi all

I am new to MWG so forgive me if this is a really stupid question!  My customer is looking to allow specific cloud storage and webmail URLs such as gmail and Onedrive for a small subset of AD users.  I've configured this right now with custom categories (eg *mail.google.com* & *gmail.com* for Gmail) but it's been suggested that using Application Controls might be a more effective and less maintenance-heavy approach, particularly for Onedrive which requires dozens of URLs unless you just super-set them to *microsoft.com* etc. 

I have never configured Application Control before and am wondering if there is a best practise guide to doing it, since the admin guide doesn't have much to say about it.  I specifically would like to know what the difference is between the Application.Name and the Application.ToString.  I know the official answer is this:

Type

Type of property

Description

Application.Name

Applcontrol

This property contains the application name of the current request

Application.ToString

String

Converts an application control value to string

 

...but this is still meaningless to me.  Please can someone give me a more human explanation? 

Which one works best?  Which one should I use to control usage of things like Onedrive, gmail and icloud?

I googled MWG App Control and found this clip:  https://www.youtube.com/watch?v=uDxZFKYFX5E but he seems to be manually typing the App name into the configuration - why would you do that when you can browse through the whole list of applications and select the one you want, to avoid potential typos?  There must be a good reason as he clearly knows the product very well.  Please can someone explain?

A step by step guide to configuring Application Control, if one exists, would be hugely appreciated along with answers to one or all of my questions.

thanks in advance!

0 Kudos
Reply
2 Solutions

Accepted Solutions
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 32
‎12-06-2019 06:02 AM

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well.

 

You should create a rule based on criteria Application.Name.

 

We have an application named Gmail, Microsoft OneDrive, Microsoft OneDrive For Business, iCloud.

 

You can create a rule using criteria Application.Name is in list and add all the above mentioned applications and then configure the action to the rule accordingly.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

View solution in original post

Reply
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 30 of 32
‎01-16-2020 05:33 AM

Re: Application Control configuration

Jump to solution
url matches https://accounts.google.com/*mail.google.com*

View solution in original post

Reply
31 Replies
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 32
‎12-06-2019 06:02 AM

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well.

 

You should create a rule based on criteria Application.Name.

 

We have an application named Gmail, Microsoft OneDrive, Microsoft OneDrive For Business, iCloud.

 

You can create a rule using criteria Application.Name is in list and add all the above mentioned applications and then configure the action to the rule accordingly.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

Reply
rockchick_uk
Level 8
Report Inappropriate Content
Message 3 of 32
‎12-06-2019 10:01 AM

Re: Application Control configuration

Jump to solution

Thank you, you have exactly answered my question, I am very grateful! 🙂

0 Kudos
Reply
rockchick_uk
Level 8
Report Inappropriate Content
Message 4 of 32
‎12-11-2019 08:11 AM

Re: Application Control configuration

Jump to solution

Hello, I have another question about this.  I have configured a Gmail rule using the Gmail application Control, and the MWG is not picking up that accounts.google.com is Gmail.  I have had to add a custom URL category to my rule but I was hoping to avoid having to do that.  Do you have any advice?

many thanks

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 5 of 32
‎12-11-2019 06:30 PM

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well. 

 

accounts.google.com  URL gets categorized under Application name as Google.

 

Attaching screenshot for reference.

 

Regards

Alok Sarda

0 Kudos
Reply
rockchick_uk
Level 8
Report Inappropriate Content
Message 6 of 32
‎12-12-2019 12:03 AM

Re: Application Control configuration

Jump to solution

Hi Alok

Thanks for the reply

So the problem with this is, my customer wants to allow Gmail for a specific Gmail AD group only.  Further down in this new Application Control ruleset is a catchall rule which blocks the URL category of webmail for everyone else. (This seemed to me to be the best way of doing it but if you can think of a better way I would love to hear it!)

So when the user in the Gmail AD group tries to navigate to gmail.com, the first URL requested by the browser, according to Rule Tracing Central, is accounts.google.com.  The MWG misses this as being part of the gmail application, but recognises it as being a webmail URL, and the user is blocked when he should be allowed.

I am wondering if this is a problem with the Application Control categorisation, or if I am doing something wrong!!

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 7 of 32
‎12-12-2019 02:39 AM

Re: Application Control configuration

Jump to solution

Hi,

Hope you are doing well.

mail.google.com and gmail.com are successfully getting categorized under Gmail application.

 

I am checking internally at my end regarding Application categorization for accounts.google.com.

 

Meanwhile you can allow accounts.google.com using criteria URL.host or any  other URL related property  for the specific Gmail AD group.

 

Please refer below link for the same:-

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-URL-related-Properties/ta-p/5540...

 

 

Regards

Alok Sarda

0 Kudos
Reply
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 32
‎12-12-2019 07:52 AM

Re: Application Control configuration

Jump to solution

 Add that as a condition of the rule.  Here's the dilemma:

accounts.google.com is used to login to all Google properties - not just gmail.  If you have SSL inspection enabled, you will notice that its has the Google property in the URL (below is an example - the property being logged into is bolded):

https://accounts.google.com/CheckCookie?hl=en&checkedDomains=youtube&checkConnection=youtube%3A612%3...

 

In this case the URL is categorized as Blogs/Wiki, because it has blogger.com.  If you see one with youtube.com, it will be streaming media, similarly, the gmail login will be categorized as Web Mail.

 

This domain has caused us headaches in rules, which is likely why it isn't in the application rule.  We use this domain with our corresponding domain rules to ensure things work

 

Also note, client6.google.com (I think that's the domain) is used with Google Docs/Drive, but not in the application rule also.  Just a heads-up.

0 Kudos
Reply
rockchick_uk
Level 8
Report Inappropriate Content
Message 9 of 32
‎12-12-2019 08:10 AM

Re: Application Control configuration

Jump to solution

Hi

How would I add that as a condition of the rule?

The specific URL that is being blocked by the URL rule as webmail is this:

https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.go...

So obviously you can see that within the URL, mail.google.com is featured.  Is there a way to add this into a custom URL category?  Currently my custom URL category consists of:

*mail.google.com*

*gmail.com*

*accounts.google.com* 

which is not ideal!

Thanks in advance

0 Kudos
Reply
AaronT
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 32
‎12-12-2019 08:15 AM

Re: Application Control configuration

Jump to solution
Why not make rule that uses the Gmail application OR the accounts.google.com in it? That's the cleanest solution.
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC