cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3820
Views
0
Helpful
2
Replies
Highlighted
Enthusiast

ironport web just WILL NOT whitelist gmail

On our wireless network, I need to whitelist gmail.  Normally web mail is blocked for lower level employees, however it is correctly allowed for IT and Executive Management.

Now on the wireless it's done by IP range.  I have the IP's added to an access policy that does not require authentication, because lots of wireless devices can't use NTLM auth (iphones/ android phones / ipad / etc..).  This is tied into our IT access policy which DOES NOT BLOCK GMAIL.  However on an iphone or ipad for example, when you click the mail icon, you always see:

Cannot get mail

The mail server "imap.gmail.com" is not responding.  Verify that you have entered the correct account info in Mail settings".  If it's an iphone, and you turn off wireless, it instantly works (from going through AT&T instead of our WLAN).

So I do a trace to imap.gmail.com as the IP address of a device in question and I get this:

User Information

User Name: None

Group Membership: None

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.861.0 Safari/535.2

Custom URL Category: IT Allowed

Policy Match

IronPort Data Security policy: None

Decryption policy: None

Routing policy: Global Routing Policy

Identity policy: servers_needing_downloads

Access policy: Information_Technology

Final Result

Request blocked

Details: ERR_GATEWAY

Trace session complete

What is ERR_GATEWAY?  If there is an issue, why can gmail be accessed on a desktop PC on a person that also applies to that identity policy?

I have no idea why this is blocking.  In the IT Allowed URL category I have these:

.gmail.com, imap.gmail.com, .google.com

You see it's hitting on that policy because in the trace it says IT Allowed.  It's also hitting on the Identity policy servers_needing_downloads, which is basically an all open policy to allow servers to contact update services, or webex/go2meeting for support and other things.

Any ideas?

Everyone's tags (1)
2 REPLIES 2
Engager

ironport web just WILL NOT whitelist gmail

The trace tool is mostly useless for stuff like this. 

Figure out what the IP address of the device in question is.

Telnet/SSH to your WSA, at the prompt, type "grep"

Enter the number of the log you wish to grep.
[]> 1

Enter the regular expression to grep.
[]> 172.16.151.40 

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]> y

Do you want to paginate the output? [N]>

Now try to get mail on the device, and see what the WSA produces.

Enthusiast

ironport web just WILL NOT whitelist gmail

It's not even hitting the IronPort.

You know what, upon further investigation when you access gmail from an ipad or ios device, it uses different ports for IMAP or SMTP, and guess what..  we have egress filtering on the firewall and only HTTP / HTTPs is allowed on that subnet.

My bad!