Quite confusing.

:) - what aspect is confusing?

The forum is not for external viewing, but I would like to use the google analytics software, which requires google to 'see' the forums. So ideally I would like to give external access to only the google machines, which I think would need an IP address or a domain name (you can selectively grant access to certain machines by adding rule to your .htaccess file (if you're serving from Apache))

is this on an Intranet?

unless your intranet is accessible by FQDN you can not... see googles answer:

How do I run Google Analytics on my intranet?
Note: This article is for the latest version of the tracking code. If you are using the older version, please read the following article.

In order for Google Analytics to populate reports for your intranet usage, your corporate network needs to reach the ga.js JavaScript at [google-analytics.com...]

If you can reach the above URL using your network's internet connection, you have satisfied the first requirement. Additionally, your intranet must be accessed using a fully qualified domain name (FQDN) such as [intranet.example.com....] The ga.js JavaScript will not work if your intranet is accessed using a non-FQDN (such as [intranet)....]

For Google Analytics, it's not Google seeing into your site. It's requests from your site going out to Google Analytics, any time a user triggers the Google Analytics javascript.

Does knowing that help make it easier to do?

You still can block everything from getting into your site. You just have to allow requests to go out from the site, to the outside world.

Hi people,

Thanks for the info about outgoing/incoming traffic and FQDNs. I think I may need to explain a bit further.

The actual software is located on an external server, which has a FQDN. However, since we only would like people from the intranet seeing the forum, we have set up the .htaccess file to only allow requests which have been forwarded from within our intranet (our intranet forwards requests to the external server if the request is for the forum).

This is not the best security measure, but the information on the forums is not too sensitive. So ideally what I would like to do on the external server is only allow requests if the request came from within our internal network (which I've already done), OR the request is from google analytics. The question is, how do you identify the google analytics machine?

Thanks again

Taras

Hi Taras,

Based on what you further explained, I'm inclined to agree with cgrantski. Google doesn't have to be able to access your site in order to report hits with GA; it's just that the visitor's browser needs to be able to reach google-analytics.com in order to send the visit information. As long as you can access [google-analytics.com...] from within your intranet, and the external server has a FQDN as you say it does, you should be fine.

Hi epistable,

The server has a FQDN, but google can't access it from that FQDN, so I'm inclined to think that the analytics won't work (as this is a requirement stated by google)..

Google shouldn't need to access the site at all - they take self-reported data from your users. If a user on your intranet is able to also send requests to the GA server, then stats will be recorded.

I assume their system is just set up to drop requests that don't appear to be from a FQDN.

I thought google did need access... at least once to verify the installation of the code right?

if google cant get to that server using its FQDN, then it will not be able to verify and start gathering data.

Update: I just read that Google uses first party cookies to track user requests. This means that Google must have access to the FQDN.

So does anyone know the IP(s) of the google analytic machines? :)

First party cookies don't require that GA servers have access (other comparable systems work fine). If GA had to communicate with your server on every page load, the whole system would likely be unworkably (and unnecessarily) slow. Does GA even need verification any more?

Google tracks pageviews even when I am editing and viewing a copy of a website using localhost on my laptop (or it did, until I added some PHP to the site to suppress the call to ga.js if the domain is not the live site). Note that the localhost tracking was for a site that had already been working for a while.

However, I have always believed that you'll initially need Google to see the code installed *somewhere* in order for it to start working - or maybe it is just the fact that calls are being made to ga.js that starts it working. Try it and see.

Hi g1smd,

I've done as you suggested and gone ahead and tried it.

Google isn't registering the software as installed, so if it doesn't end up working, that could be a reason.

I'll keep this thread updated with the progress (if any) :)

Please do. This is turning out to be a complicated issue.

When I ping google-analytics.com, I get the IP address 72.14.247.99. Perhaps others here can check for the same thing from their locations, to try to get an idea of the IP ranges.

ARIN says that 72.14.247.99 is part of the range

NetRange: 72.14.192.0 - 72.14.255.255
CIDR: 72.14.192.0/18

As I said, there could be other ranges associated with Google Analytics.

If you allow this range access to your site, you might solve your problem. You certainly wouldn't be allowing anybody or anything EXCEPT Google in there, if you did. (Be sure to set your robots.txt file to tell Google to not follow and especially not index!)

Also, have you asked Google itself about this, or checked the google analytics user forum that's on the Google domain?

[edited by: cgrantski at 2:48 pm (utc) on Dec. 10, 2008]

GA has a lot of IP addresses. The C-blocks in use by Google are listed in a thread here back in about July.

I'm sure it does. I cannot find that July entry.

I ran a quick test of this:

- Created a new analytics account
- Put the code on a local page only
- Viewed the page

This resulted in no visit logged, and an exclamation icon ("tracking unknown") within GA

I then put the code on an entirely different FQDN (not related to the one set up in analytics) and viewed the page. I know have a tick icon ("Receiving Data") within WMT, and one visit recorded.

So it seems you might be able to "hack" the status by putting the code on any old host temporarily.

[edited by: Receptional_Andy at 2:52 pm (utc) on Dec. 10, 2008]

If the GA data collection server doesn't have access for returning a cookie value to the intranet server, I wonder what will happen to the stats.

If the GA data collection server doesn't have access for returning a cookie value to the intranet server

But it doesn't return a cookie value - the visitor sends their cookie value to GA - hence a first party cookie. Google's servers can't access the cookie value since they are not on the same domain.

I then put the code on an entirely different FQDN (not related to the one set up in analytics) and viewed the page. I know have a tick icon ("Receiving Data") within WMT, and one visit recorded.

But the question is - if you now move it back to the "hidden" site does it keep reporting?

I haven't tested it, but I'd be very surprised if it didn't. Fundamentally, the way page-tagging web analytics systems work is by user supplied data (including the host serving the code). Your page request also results in a request to a script on the analytics server with a bunch of parameters like referrer, page requested, ID etc. It's one-way traffic.

The only way requests from multiple hosts would not be recorded was if GA deliberately dropped information based on the host supplied. I'm, not sure why they would include such functionality, and if they did, why they would do so based on the first host within a request.

From what I've seen, you have to create an advanced filter to even get GA to display the host in reports - instead the reports show as if everything was called from the host entered in the GA setup.

I used an alternate host in my test, because I wanted to simulate a request from a FQDN other than the one in the GA account - whether GA can access the host isn't the issue. I didn't see any Google activity in server logs as a result of the initial requests.

I always set up GA filters to "include only the named domain", and "include everything except the named domain", and "exclude people with a "staff" cookie", and then create a report that shows only views to the real site by people who are not staff. However, in another report I also get to see all page views at all other domains, and that shows people viewing searchengine caches and shows sites that have stolen content wholesale.