It is clearly said that V100 and V500 do not support web mail filtering. However, this is not the fact. Now, Dr. WoW is going to decipher this mystery.
Web mail filtering is widely applied in multiple scenarios. For example, an enterprise restricts the use of standard mail protocols, such as POP3 and SMTP, to ensure information security. However, some "smart" employees use applications, such as NetDisk, QQ, and email, that are carried in HTTP/HTTPS to evade regular application checks. Besides, each enterprise may have different restriction criteria. For example,
- Employees can access the web mailbox and send email, but cannot upload or send email attachments.
- Employees can access the web mailbox to receive email but cannot send email.
- Employees are not allowed to access the web mailbox.
In principle, mail filtering does not apply to web mailboxes. However, as a matter of fact, you can use application identification, URL filtering, and application behavior control to achieve the same effect.
Employees Can Access the Web Mailbox and Sent Email, But Cannot Upload or Send Email Attachments
Since mail filtering does not apply to web mailboxes, you can find other breaking points. This requirement seems difficult to satisfy. HTTP upload needs to be restricted. So here is the solution: use application identification and application behavior control.
1. Configure the SSL decryption function. Since all mainstream web mailboxes use HTTPS, you need to decrypt it into HTTP.
2. Configure an application behavior control profile to disable the HTTP upload.
3. Configure a security policy, set the application to web mail, and reference the application behavior control profile.
4. Commit the configuration for it to take effect.
Employees Can Access the Web Mailbox to Receive Email But Cannot Send Email
The enterprise requires that employees can receive email but cannot send email. After analyzing the sending action, we can see that the URL format has specific rules. For example, the NetEase mailbox contains both l=compose and action=deliver fields. To meet this requirement, we can use user-defined URL category and URL filtering.
1. Configure a user-defined URL category to match the email sending operation.
2. Configure a URL filtering profile to block the user-defined URL category.
3. Configure a security policy, set the application to web mail, and reference the URL filtering profile. The configuration is similar to that in the preceding section.
4. Commit the configuration for it to take effect.
Employees Are Not Allowed to Access the Web Mailbox
The configuration is quite simple because all web mailbox operations are restricted. You can set the application to web mail (such as Netease_Webmail) and configure a security policy in which the action is set to block.
Summary
If you are attentive enough, you may have noticed that we introduced SSL decryption configuration when we try to meet the first requirement. This is because all existing mainstream web mailboxes use HTTPS. We can also use it for the second requirement. Just configure a proxy policy to decrypt HTTPS.
