Jump To: Support > KB > NetManager > Proxy > Filtering > GoogleMaps
Allowing only access to Google Maps
One of our schools asked for exam users to only have access to Google Maps and no other website. You may think you could simply allow maps.google.co.uk, but block everything else. This will not work as:
maps.google.co.ukredirects tohttps://www.google.co.uk/mapswhich is the same domain as other Google services including searches- It is HTTPS meaning the URL path (in this case beginning with
/mapsis not visible by the proxy - Google services use many domains for components on the pages
N.B. you must have the HTTPS Interception NetManager module for this to work. You must also have installed your NetManager CA cert on all relevant devices.
Step 1 - select exam users
Create a Filter based on a proxy port used only for exams. This port should be HTTPS-enabled:
Step 2 - determine Google domains
Create a Filter called Google domains. Here is an example, but ideally it should contain all country-specific Google domains (click here for a list you can copy and paste):
Step 3 - intercept HTTPS for Google domains
Create an Access Rule in the SSL Interception settings that links the exam port and domains together:
Step 4 - ensure we can select between HTTP and HTTPS
Create a Filter called HTTPS that looks for CONNECT:
Step 5 - determine exactly what is required for Google maps
If you browse to https://www.google.co.uk/maps and open Developer tools in your browser, you can see what has been downloaded for the page. In Chrome it is on the Sources tab:
Create a Filter called Google maps with just the bits we need (click here for a list you can copy and paste). Note that we are explicitly specifying www.google.co.uk and www.google.com paths:
Step 6 - tie the lot together
Create three Access Rules referencing the various filters. Ensure they are in the right order:
- Allowed if Google domains and HTTPS - Allow access to Google for the HTTPS inspection/interception (see below)
- Allowed if Exam port and Google maps - Allows access to Google maps
- Blocked if Exam port - Blocks all other access (e.g. any other Google services)
If the Allowed if Google domains and HTTPS rule is not created, you will find that Google maps is still blocked. This will probably come as a surprise as it initially seems that the two other rules should do what is required. The reason is that when doing HTTPS inspection/interception there are two steps.
Firstly, the HTTPS is inspected to get the site domain name. At this point, you cannot see inside the HTTP request to get the URL path, for example /maps. Secondly, the HTTPS traffic is intercepted and decrypted to get the raw HTTP request that is tunneled within. You need to think about how the rules you set will affect each step (the two steps are shown separately in the logs which can be helpful). As the Allowed if Exam port and Google maps rule grants access based on the URL path, it can only take effect once the traffic has been decrypted and so will have no effect on the initial HTTPS inspection step. This means that if you do not have the Allowed if Google domains and HTTPS rule, the Blocked if Exam port rule is all that is left and the HTTPS request will be blocked before it can be intercepted. This can be seen in the log fragment below (403 being the HTTP Access Denied code):
TCP_DENIED/200 0 CONNECT www.google.co.uk:443 TAG_NONE/403 4080 GET https://www.google.co.uk/maps
Therefore we need to allow the first CONNECT request. When this is allow, the logs show:
TAG_NONE/200 0 CONNECT www.google.co.uk:443 TCP_MISS/200 79515 GET https://www.google.co.uk/maps