Short answer:
To block access to certain Google accounts and services while allowing access to their Google Apps accounts , a web proxy server that can perform SSL interception and insert HTTP headers is needed.
As an administrator, you might want to prevent users from accessing Google services using different accounts you have given them . For example , you may not want to use their personal accounts to Gmail or Google Apps account from another domain .
A very common to block access to Web services is to use a proxy server to filter web traffic to specific URLs. This method will not work in this case because legitimate traffic from Google Apps account a user is directed to the same URL that you want to block traffic .
To allow users to only access Google services through specific Google accounts on your domain , the web proxy server must add a header to all traffic directed to google.es . This header identifies domains whose users can access Google services . Since most traffic is encrypted Google Apps , the proxy server must also be able to perform SSL interception . See below for a list of proxy servers that support SSL interception and insertion of HTTP headers.
To prevent users from logging on to Google services through Google accounts other than those you have explicitly specified :
Directs all outbound traffic to google.es through web proxy servers.
Enables SSL interception in the proxy server.
Since interceptarás SSL requests , you must configure each client device to trust your SSL proxy by implementing the internal root certification authority used by the proxy and marking it as trusted.
Each request for google.es :
a. Intercepts the request .
b . Adds HTTP " X - GoogApps - Allowed- Domains" header whose value is a comma-separated list of allowed domain names list. Includes domain registered in Google Apps and child domains you've added .
For example, to allow users to log on using accounts that end in "@ altostrat.com " and " tenorstrat.com " creates a header named " X - GoogApps - Allowed- Domains" and this value :
altostrat.com , tenorstrat.com
You may also like to create a proxy policy to prevent users insert their own headers .