SSL Inspector/Captive Portal Ignore Rules for Chromebooks
When using Chromebooks on a network with SSL Inspector configured to "Inspect All Traffic" or "Inspect Google Traffic", you will need Ignore Rules to allow the Chromebooks to authenticate.
As of (August 4th, 2020) you will need rules for the following hosts:
*1e100.net | *google-analytics.com |
accounts.gstatic.com | *googletagmanager.com |
accounts.youtube.com | *googleusercontent.com |
alt*.gstatic.com | m.google.com (see below) |
chromeos-ca.gstatic.com | omahaproxy.appspot.com |
clients*.google.com | pack.google.com |
cloudsearch.google.com | policies.google.com |
commondatastorage.googleapis.com | safebrowsing*.google.com |
cros-omahaproxy.appspot.com | ssl.gstatic.com |
dl.google.com | storage.googleapis.com |
dl-ssl.google.com | tools.google.com |
*gvt*.com | www.googleapis.com |
gweb-gettingstartedguide.appspot.com | www.gstatic.com |
URLs in italics are new as of August 2020. They have been reported by other NGFW users but not obtained directly from Google.
m.google.com is just the mobile-friendly version of www.google.com. This entry may be optional; using it is likely to render your NGFW unable to inspect Google search traffic (for purposes of enforcing SafeSearch, &c.).
PLEASE NOTE: Google is known to change these addresses without warning.
To add the rules go to SSL Inspector Settings -> Rules -> Add Rule
The rule conditions should be "SSL: SNI Hostname" is: "<host>" and the Action should be "Ignore"
For example:
FollowComments
5 comments
Please sign in to leave a comment.
Did you find it unnecessary to include the dozen or so other URLs Google has as part of their white list in the instructions for SSL in your own white list?
I broke down and added all these sites to my allow list.
I will test further if time allows but we are currently in a testing phase of some new hardware and we are unsure if this solution will best fit us.
No, Adam. We did our own testing and found that we could get it functioning with only this short list. Adding more may be required going forward but not at the time of testing.
This list is almost 2 years old, is it still accurate?
Darrell,
Yes this article is still accurate. It is a living document that support updates as Google changes URL's.