This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Scanning and "Google Drive":

Hi everybody,

according to the knowledge base article https://community.sophos.com/kb/it-it/120790, with HTTP scanning enavbled, and adding excemptions sites should allow users to access and synchronize their Google Drive.
Unfortunately, it seems not.
I've added the excemptions listed here https://support.google.com/drive/answer/2589954, but still the Google Drive server remains unreachable (the icon in the tray remains greyed).

is there anybody who had (and solved) the same issue?

thx in advance



This thread was automatically locked due to age.
Parents
  • I've had success with this Exception List, though I'm still shaky on the regex and would appreciate any further refinement suggestions:

    ^https?://([A-Za-z0-9.-]*\.)?c\.docs\.google\.com
    ^https?://([A-Za-z0-9.-]*\.)?clients[0-9]\.google\.com
    ^https?://([A-Za-z0-9.-]*\.)?docs\.google\.com
    ^https?://([A-Za-z0-9.-]*\.)?drive\.google\.com
    ^https?://([A-Za-z0-9.-]*\.)?ggpht\.com
    ^https?://([A-Za-z0-9.-]*\.)?googleapis\.com
    ^https?://([A-Za-z0-9.-]*\.)?googleusercontent\.com
    ^https?://([A-Za-z0-9.-]*\.)?gstatic\.com
    ^https?://[0-9]\.client-channel\.google\.com
    ^https?://accounts\.google\.com
    ^https?://apis\.google\.com
    ^https?://clients[0-9]\.google\.com
    ^https?://docs\.google\.com
    ^https?://drive\.google\.com
    ^https?://gg\.google\.com
    ^https?://googledrive\.com
    ^https?://lh[0-9]\.google\.com
    ^https?://s\.ytimg\.com
    ^https?://script\.google\.com
    ^https?://sheets\.google\.com
    ^https?://slides\.google\.com
    ^https?://ssl\.google-analytics\.com
    ^https?://takeout\.google\.com
    ^https?://talk\.google\.com
    ^https?://video\.google\.com
    ^https?://www\.google\.com

    I've added ggpht.com in addition to the others google recommended as I saw requests for resources from that domain during browser use of drive.google.com

    With the above added to an exception list with SSL scanning not checked I'm able to browse to google drive and upload and download files. Without this exception list enabled it does not work.

  • Fortunately the SWA does not require all these regular expressions.

    Theres a couple of considerations..

     

    Application control and or policy for the SWA refers to the WEB based client (so log in with a web browser and confirm the results you are seeing are the same and or its working as expected)

    the real issue here is that the app may be communicating on a port other that 443 or 80.. in that case you would need to ensure you make a new local site list entry to include the port.  for example  mydomain.google.com:8443   this would allow the appliance to accept responses from that site on that port. 

     

    another option (you could leave in place) or just test with.

     

    add new site to the local site list.

    select "add multiple sites"

    google.com
    googleapis.com
    gstatic.com
    googleusercontent.com
    accounts.google.com
    drive.google.com
    docs.google.com
    gmail.com

    change the risk class to trusted 

    click add .

    this will create new entries in the lsl for each site.

    * note: trusting sties disables scanning, I do not recommend trusting any site unless its absolutely necessary.   In this case the reason to trust the site is to allow the client to make byte-range requests.. by default these requests are dropped to prevent people from downloading virus 1 byte at a time.

    ** note it can take up to 10 mins for these changes to replicate.. 

Reply
  • Fortunately the SWA does not require all these regular expressions.

    Theres a couple of considerations..

     

    Application control and or policy for the SWA refers to the WEB based client (so log in with a web browser and confirm the results you are seeing are the same and or its working as expected)

    the real issue here is that the app may be communicating on a port other that 443 or 80.. in that case you would need to ensure you make a new local site list entry to include the port.  for example  mydomain.google.com:8443   this would allow the appliance to accept responses from that site on that port. 

     

    another option (you could leave in place) or just test with.

     

    add new site to the local site list.

    select "add multiple sites"

    google.com
    googleapis.com
    gstatic.com
    googleusercontent.com
    accounts.google.com
    drive.google.com
    docs.google.com
    gmail.com

    change the risk class to trusted 

    click add .

    this will create new entries in the lsl for each site.

    * note: trusting sties disables scanning, I do not recommend trusting any site unless its absolutely necessary.   In this case the reason to trust the site is to allow the client to make byte-range requests.. by default these requests are dropped to prevent people from downloading virus 1 byte at a time.

    ** note it can take up to 10 mins for these changes to replicate.. 

Children
No Data