If you're having network-connectivity issues with G Suite Sync for Microsoft® Outlook® (GSSMO), here are some steps that can help you fix the problem.
Fix connectivity issuesStep 1: Open connectivity ports
- Open port 443 for Outlook.exe and ProfileEditor.exe. Next, reinstall GSSMO from its download page to ensure the installation files download correctly. Our synchronization tools communicate mostly on port 443 so this will resolve many network issues.
- Open port 80 for downloading the Certificate Revocation List (CRL).
- Open a Microsoft Windows® firewall port to allow Outlook to communicate with Google's servers. Consult your Microsoft documentation for instructions on how to do this.
You should allow traffic from the following URLs:
|Certificate Revocation Lists|
|https://www.google.com/m8/feeds/gal||Global Address Book|
Note: If you're using a Windows parental control system, you might need to add URLs to your allow list. For details, consult your Microsoft documentation.
Review how to find Google IP address ranges. Any one of these IP addresses can be used by GSSMO.
Authenticated proxies are not supported by GSSMO. To see if you have a proxy:
- Close all Microsoft Internet Explorer® windows.
- Open a new Internet Explorer window.
- Go to https://mail.google.com.
- If you're prompted for proxy authentication, contact your network administrator for help.
Google Cloud Support is unable to provide support for connection issues when a proxy is in place.
Additional network problems are logged in GSSMO's trace files. Use the Log Analyzer to quickly analyze your trace logs.
Troubleshoot common network issuesCheck the logs
If you have network errors (for example, a network timeout, connection refused, etc.) or SSL/TLS issues (for example, a secure connection failure), the logs will show the IP address the tool tried to connect to. In the case of a secure connection failure, the logs will show the reason (for example, certificate name mismatch, certificate expired, CRL check failed, etc.) and the certificate details (for example, a Google certificate or a HTTPS-inspecting proxy). This should significantly reduce the need to get network captures for troubleshooting. This applies to both the main logs (Trace-*.log) and the authorization logs (in the "Identity" folder).
Authorization log example
[2022-09-21T03:59:46:ERROR:windows_http.cc(331)] TLS connection failure. See details below. [Status: 0x00010000. Status Info: 0x00000001]
[2022-09-21T03:59:46:ERROR:windows_http.cc(340)] Certificate details:
Valid from: 2017-09-13 17:23:55 UTC
Valid until: 2017-12-06 17:10:00 UTC
Google Internet Authority G2
[2022-09-21T03:59:46:ERROR:windows_http.cc(282)] WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED: Certification revocation checking has been enabled, but the revocation check failed to verify whether a certificate has been revoked. The server used to check for revocation might be unreachable.
[2022-09-21T03:59:46:ERROR:windows_http.cc(197)] Error from API WinHttpSendRequest with WinHTTP proxy. Will try direct (without proxy). Code: 0x00002f8f
[2022-09-21T03:59:46:ERROR:windows_http.cc(107)] Network connection destination details: 220.127.116.11:443 (sfo07s13-in-f170.1e100.net)
In this case, the year in the machine's current date was changed to 2022, making the certificate appear out of date. You can see the current date at the start of each log line, and the "Valid from" and "Valid until" dates of the certificate don't match the current date. The error flag WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED indicates the certificate revocation check failed.
You can also see the destination IP address and the resolved hostname after "Network connection destination details" on the last log line. It's a 1e100.net address, meaning it's Google.
Trace log example
Note: This log example is from GSMMO. Similar trace log entries will also appear in GSMME, GSPS, or GSSMO when these products experience network/TLS issues.
2017-09-21T04:10:04.356-03:00 1a20 E:Network ClientMigration!WinHttp::HandleCallback @ 2025 ()> Secure connection failure. Status: 0x00010000. Info 0x00000009
2017-09-21T04:10:04.356-03:00 1a20 E:Network ClientMigration!WinHttp::HandleCallback @ 2030 ()> Failure details:
WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED: Certification revocation checking has been enabled, but the revocation check failed to verify whether a certificate has been revoked. The server used to check for revocation might be unreachable.
WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA: The function is unfamiliar with the Certificate Authority that generated the server's certificate.
Valid from: 2016-09-20T04:08:45.000Z
Valid until: 2022-09-20T04:08:45.000Z
Created by http://www.fiddler2.com
Created by http://www.fiddler2.com
2017-09-21T04:10:04.356-03:00 1a20 E:Network ClientMigration!WinHttp::HandleCallback @ 2071 ()> Error result 5, hr = 0x80072f8f. Setting event 0000000000001638.
2017-09-21T04:10:04.356-03:00 1a20 E:Network ClientMigration!WinHttp::HandleCallback @ 2076 ()> Network connection destination details: 127.0.0.1:8888 (COMPUTERNAME)
In this case, Fiddler was installed and set to do HTTPS decryption (meaning it uses its own certificate), but its certificate was deleted from the Windows trusted certificate list, so it's untrusted. Note that because Fiddler is a proxy, we see that it was connecting to 127.0.0.1 and not to Google. You can see the error flags include WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA, which means that the Certificate Authority (CA) isn't trusted by the system. Also notice this isn't a Google certificate as it wasn't issued by Google.
Note: Older versions of GSSMO might not include the advanced logging features discussed here. We recommend you upgrade to the latest version. For details, go to Step 1.
Important: Our support team is happy to provide these guidelines for setting up your network to work with GSSMO. However, we can't assist with your network configuration. For help with that, contact your local network administrator.