On our wireless network, I need to whitelist gmail. Normally web mail is blocked for lower level employees, however it is correctly allowed for IT and Executive Management.
Now on the wireless it's done by IP range. I have the IP's added to an access policy that does not require authentication, because lots of wireless devices can't use NTLM auth (iphones/ android phones / ipad / etc..). This is tied into our IT access policy which DOES NOT BLOCK GMAIL. However on an iphone or ipad for example, when you click the mail icon, you always see:
Cannot get mail
The mail server "imap.gmail.com" is not responding. Verify that you have entered the correct account info in Mail settings". If it's an iphone, and you turn off wireless, it instantly works (from going through AT&T instead of our WLAN).
So I do a trace to imap.gmail.com as the IP address of a device in question and I get this:
User Name: None
Group Membership: None
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.861.0 Safari/535.2
Custom URL Category: IT Allowed
IronPort Data Security policy: None
Decryption policy: None
Routing policy: Global Routing Policy
Identity policy: servers_needing_downloads
Access policy: Information_Technology
Trace session complete
What is ERR_GATEWAY? If there is an issue, why can gmail be accessed on a desktop PC on a person that also applies to that identity policy?
I have no idea why this is blocking. In the IT Allowed URL category I have these:
.gmail.com, imap.gmail.com, .google.com
You see it's hitting on that policy because in the trace it says IT Allowed. It's also hitting on the Identity policy servers_needing_downloads, which is basically an all open policy to allow servers to contact update services, or webex/go2meeting for support and other things.
The trace tool is mostly useless for stuff like this.
Figure out what the IP address of the device in question is.
Telnet/SSH to your WSA, at the prompt, type "grep"
Enter the number of the log you wish to grep.
Enter the regular expression to grep.
Do you want this search to be case insensitive? [Y]>
Do you want to search for non-matching lines? [N]>
Do you want to tail the logs? [N]> y
Do you want to paginate the output? [N]>
Now try to get mail on the device, and see what the WSA produces.
It's not even hitting the IronPort.
You know what, upon further investigation when you access gmail from an ipad or ios device, it uses different ports for IMAP or SMTP, and guess what.. we have egress filtering on the firewall and only HTTP / HTTPs is allowed on that subnet.