Set up SSL inspection on Chrome devices
About SSL inspection on Chrome devices
Secure Sockets Layer (SSL) inspection is a security feature provided by third-party web filters. It allows you to set up your web filter to detect online threats. SSL inspection is only supported on Chrome browser version 30 and later.
Tip: Set up SSL inspection early during your deployment to ensure users can access websites without issues.
Before you start
To set up SSL inspection, keep in mind:
- You need an SSL certificate from your web filter provider. Check with your provider to get the certificate. DER-encoded certificates are not supported. Chrome devices only accept PEM format. For popular providers, see Configure Chrome devices with Zscaler and how to configure Chromebooks with Barracuda.
- Web traffic should be sent to your web filter via a proxy connection. Transparent, or in-line, proxies are not supported. If you have to use one, you can whitelist *.google.com to allow all google.com requests to go through without SSL interception. However, this is an unsupported configuration. For more information, see About transparent proxies.
- Server Name Indication (SNI) is not currently supported. However, there is an open request for this feature.
- Users can’t use multiple sign-in access if SSL inspection is enabled.
Transparent proxiesAbout transparent proxies
Transparent, or in-line, proxies determine a requested URL by looking at the SSL certificate. In most cases, the domain name associated with the SSL certificate (Common Name) matches the URL being requested. The proxy checks the Common Name against a URL whitelist to decide whether or not the traffic should be allowed. However, many large organizations purchase wildcard SSL certificates that don’t use an explicit URL for the Common Name. For example, Google uses *.google.com as the Common Name for many of the URLs that are required for Chrome devices to work.
The certificate information looks like this:
For the transparent proxy to work, it needs *.google.com to be added to the URL whitelist to allow all traffic to *.google.com. This configuration is not supported because of Chrome security features that are in place, and we recommend that you avoid the use of transparent proxies.