Set up TLS (or SSL) inspection on Chrome devices
About TLS (or SSL) inspection on Chrome devices
Transport Layer Security (TLS) inspection (also known as SSL inspection) is a security feature provided by third-party web filters. It allows you to set up your web filter to detect online threats.
Tip: Set up TLS inspection early during your deployment to ensure users can access websites without issues.
Before you start
To set up TLS inspection, keep in mind:
- You need an TLS or SSL certificate from your web filter provider. Check with your provider to get the certificate. DER-encoded certificates are not supported. Chrome devices only accept PEM format. For popular providers, see Configure Chrome devices with Zscaler and how to configure Chromebooks with Barracuda.
- Web traffic should be sent to your web filter via a proxy connection. Transparent, or in-line, proxies are not supported. If you have to use one, you can whitelist *.google.com to allow all google.com requests to go through without TLS interception. However, this is an unsupported configuration. For more information, see About transparent proxies.
- Server Name Indication (SNI) is not currently supported. However, there is an open request for this feature.
- Users can’t use multiple sign-in access if TLS inspection is enabled.
Transparent proxiesAbout transparent proxies
Transparent, or in-line, proxies determine a requested URL by looking at the TLS certificate (or SSL certificate). In most cases, the domain name associated with the TLS certificate (Common Name) matches the URL being requested. The proxy checks the Common Name against a URL whitelist to decide whether or not the traffic should be allowed. However, many large organizations purchase wildcard TLS certificates that don’t use an explicit URL for the Common Name. For example, Google uses *.google.com as the Common Name for many of the URLs that are required for Chrome devices to work.
The certificate information looks like this:
For the transparent proxy to work, it needs *.google.com to be added to the URL whitelist to allow all traffic to *.google.com. This configuration is not supported because of Chrome security features that are in place, and we recommend that you avoid the use of transparent proxies.