Set up a G Suite host name whitelist

When you are setting up G Suite, you need whitelist some host names so that the G Suite APIs work correctly. 

Important:

  • This information is subject to change without notice. 
  • For product-specific information about APIs, refer to the help center content for that product.

Step 1: Open connectivity ports

Open the following ports:

Port Purpose
TCP port 443 (HTTPS) Access the main URLs for authentication and API call
TCP port 80 (HTTP)

Allow CRL and OCSP checks (Step 4 below)

Notes:

  • Depending on your setup and the application, you might need to enable additional rules.
  • If you're using a Microsoft® Windows® client, you might need to enable these rules on a per-application basis. Refer to your Microsoft documentation for details.

Step 2: Whitelist the URLs

Top-level URLs

Whitelist the following URLs for G Suite APIs:

Purpose URL
Authentication

For more information, see Using OAuth 2.0 for Web Server Applications.

https://accounts.google.com/o/oauth2
https://www.googleapis.com/oauth2
https://oauth2.googleapis.com/token
Main API entry point https://*.googleapis.com
(where * is any string not containing a period)
Email In addition to the main API entry point:
https://mail.google.com/mail
Contacts and Global Address List (GAL) https://www.google.com/m8
G Suite Admin Settings API https://apps-apis.google.com/a
Accounts and sign ins https://www.google.com/accounts/ClientLogin
https://www.google.com/accounts/

 

Note: You might also want to whitelist https://www.googleapis.com/generate_204 which can be used to check the HTTP status code (204). 

Optional URLs for additional control

For additional control, you can whitelist the following URLs:

Purpose URL
Additional authentication URLs

You might not need all these URLs, depending on your setup.

https://accounts.google.com/o/oauth2/auth
https://accounts.google.com/o/oauth2/token
https://accounts.google.com/o/oauth2/v2/auth
https://oauth2.googleapis.com/token
https://www.googleapis.com/oauth2/v3/token
https://www.googleapis.com/oauth2/v4/token
https://www.googleapis.com/oauth2/v2/tokeninfo
https://www.googleapis.com/oauth2/v3/tokeninfo
https://accounts.google.com/o/oauth2/revoke
https://accounts.youtube.com
https://www.google.com
https://fonts.gstatic.com
https://ssl.gstatic.com
https://www.gstatic.com
Google Calendar API https://www.googleapis.com/calendar
Google Contacts API https://www.google.com/m8/feeds
Global Address List (GAL)
G Suite Admin SDK and then Domain Shared Contacts API
https://www.google.com/m8/feeds/gal
Gmail and then Gmail API https://mail.google.com/mail https://www.googleapis.com/gmail https://www.googleapis.com/upload/gmail
Google Drive APIs https://www.googleapis.com/drive https://www.googleapis.com/upload/drive
Tasks API https://www.googleapis.com/tasks
G Suite Admin SDK and then Groups Migration API https://www.googleapis.com/upload/groups
G Suite Admin SDK and then Data Transfer API https://www.googleapis.com/admin/datatransfer
G Suite Admin SDK and then Directory API https://www.googleapis.com/admin/directory
G Suite Admin SDK and then Reports API https://www.googleapis.com/admin/reports
Google Drive Activity API https://www.googleapis.com/appsactivity
Google Classroom API https://classroom.googleapis.com
G Suite Admin SDK and then Groups Settings API https://www.googleapis.com/groups
G Suite Admin SDK and then Enterprise License Manager API https://www.googleapis.com/apps/licensing
People API https://people.googleapis.com
Google+ API https://www.googleapis.com/plus
Google Sheets API https://sheets.googleapis.com
Google Slides API https://slides.googleapis.com

Step 3: Review Google IP address ranges

Review how to find Google IP address ranges. The Google IP addresses can be used by any of the Google URLs specified in step 2.

You can also test the connection from the G Suite Toolbox

Step 4: Allow checks

CRL check

A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. These certificates should not be trusted.

CRLs are usually sent by an HTTP (not HTTPS) URL on the CA website. The CRL distribution points are visible in the certificate X509v3 details.

Here are the current CRL distribution points that are in use for Google services:

  • http://crl.geotrust.com/crls/secureca.crl
  • http://crl.pki.goog/GTSGIAG3.crl
  • http://crl.pki.goog/gsr2/gsr2.crl
  • http://g.symcb.com/crls/gtglobal.crl
  • http://pki.google.com/GIAG2.crl
  • http://pki.goog/gsr2/GTSGIAG3.crt

For details, see Google Internet Authority G2

OCSP check

The Online Certificate Status Protocol (OCSP) is an internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Here are the current OCSP distribution points that are in use for Google services:

  • http://clients1.google.com/ocsp
  • http://g.symcd.com
  • http://ocsp.pki.goog/GTSGIAG3
  • http://ocsp.pki.goog/gsr2

Related topics

Was this helpful?
How can we improve it?