Set up TLS (or SSL) inspection on Chrome devices

About TLS (or SSL) inspection on ChromeOS devices

Transport Layer Security (TLS) inspection (also known as SSL inspection) is a security feature provided by third-party web filters. It allows you to set up your web filter to detect online threats.

Tip: Set up TLS inspection early during your deployment to ensure users can access websites without issues.

Before you start

To set up TLS inspection, keep in mind:

  • You need an TLS or SSL certificate from your web filter provider. Check with your provider to get the certificate. DER-encoded certificates are not supported. ChromeOS devices only accept PEM format. For popular providers, see Configure ChromeOS devices with Zscaler and how to configure Chromebooks with Barracuda.
  • Web traffic should be sent to your web filter via a proxy connection. Transparent, or in-line, proxies are not supported. If you have to use one, you can allowlist *.google.com to allow all google.com requests to go through without TLS interception. However, this is an unsupported configuration. For more information, see About transparent proxies.
  • Server Name Indication (SNI) is not currently supported. However, there is an open request for this feature.
  • Users can’t use multiple sign-in access if TLS inspection is enabled.

Transparent proxies

About transparent proxies

Transparent, or in-line, proxies determine a requested URL by looking at the TLS certificate (or SSL certificate). In most cases, the domain name associated with the TLS certificate (Common Name) matches the URL being requested. The proxy checks the Common Name against a URL allowlist to decide whether or not the traffic should be allowed. However, many large organizations purchase wildcard TLS certificates that don’t use an explicit URL for the Common Name. For example, Google uses *.google.com as the Common Name for many of the URLs that are required for ChromeOS devices to work.

The certificate information looks like this:

Certificate viewer

For the transparent proxy to work, it needs *.google.com to be added to the URL allowlist to allow all traffic to *.google.com. This configuration is not supported because of Chrome security features that are in place, and we recommend that you avoid the use of transparent proxies.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu