How do I limit users to the Google™ domain I specify?

Article #: Product Castle
1672 Guardian All

Summary

How to restrict G Suite to only work with the domain you specify, for example, smoothwall.net.

Problem

You want to limit your users to only accessing your company or student Google email or G Suite account.

Smoothwall offers a G Suite (formally Google Apps) content modification option which you can put in place to block users from logging into Google Mail for all domains except for the ones you specify (for example, smoothwall.net).

Solution

  1. Add Webmail to the IT & Technical category group — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/filters.htm
  2. Add mail.google.com to the Custom allowed content category — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/customcategory.htm
  3. Create a new content modification with the following header to override: X-GoogApps-Allowed-Domains:domain.tld
    where domain.tld is the domain to be allowed through.
    More than one domain can be added by separating them by commas — X-GoogApps-Allowed-Domains: mydomain.com, mydomaintoo.com
    See https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/customcmod.htm
  4. Create a content modification policy, with the following aspects:
    • Who — Everyone
    • What — Everything
    • Where — Everywhere
    • Action — Apply GoogleApps
  5. See https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/contentmodpolicywiz.htm

  6. Export Guardian's Certificate Authority (CA) certificate — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/httpssettings.htm.
    You must distribute this to all domain machines and devices, using a domain group policy, as a Root Trusted Certificate Authority.
  7. Order the HTTPS inspection policies as so:
    • Priority = 1
    • Who = Everyone
    • What = Online Banking, SSL/CRL, Custom categories used to bypass certificate check and inspection
    • Where = Everywhere
    • When = Always
    • Action = Do not inspect
    • Priority = 2
    • Who = Everyone
    • What = Everything
    • Where = Everywhere
    • When = Always
    • Action = Decrypt and inspect
  8. Note: The above requires HTTPS interception to be setup and working on the Guardian web filter — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/https.htm.

Attribution:

Last updated: Author: Contributions by:
23rd November 2016   DMT, SN