Personnel Gmail restrictions for specific group only.
In Zscaler as of now there is no option to block the personnel gmail only for specific group. But there is an option to allow only specific domains to access the google APPs.
Since this the configuration is global, this change will applicable for all users. In an Enterprise the top management will always look for full internet access. So we have to split this into two.
1. Allow the personnel Gmail to all Enterprises top management.
2. Block the personnel Gmail to all other users. Allow the personnel Gmail to all Enterprises top management.
Bypass the personnel gmail or Google APPs URLS in PAC file and use that PAC file for top management.
For example.
For example.
// Gmail Go direct
If (shExpMatch(host, “*.gmail.com”) ||
shExpMatch(host, “accounts.google.com”) ||
shExpMatch(host, “myaccount.google.com”) ||
shExpMatch(host, “hangouts.google.com”) ||
shExpMatch(host, “calender.google.com”) ||
shExpMatch(host, “contacts.google.com”) ||
shExpMatch(host, “mail.google.com”) )
return “DIRECT”;
Challenge:
Challenge:
Here the challenge is, after bypass the URLs we have to forward those into direct internet, which is more complex if you are using router or CPE without application intelligence. If the gateway is application aware CPE or UTM enabled firewall or NGFW, the Application specific allow will be easy. Otherwise Identify the list of IP addresses of gmail become tedious.
Block the personnel Gmail to all other users.
In order to block the personnel Gmail accounts use another pac file without gmail bypass , and forward them directly to Zscaler. Since the global configuration on the zscaler to allow only specific Google Apps, the users can access personnel gmail only if we use the allowed domains to login the gmail.
Note: SSL inspection has to enable in location.
Note: SSL inspection has to enable in location.