Search
Clear search
Close search
Google apps
Main menu

Set up SSL inspection on Chrome devices

1) Set up a hostname whitelist

For Chrome devices to work on a domain with SSL inspection, some hostnames need to be exempt from inspection. This is because certificates can only be imported at the user level and are only honored for user-level traffic. Some device-level traffic doesn’t use the SSL certificate to protect users against certain kinds of security risks.

To ensure that Chrome devices work with SSL inspection, you need to whitelist the following hostnames on your proxy server. For details on how to whitelist hostnames, check with your web filter provider.

Updates

  • July 13, 2017: Added accounts.google.[country].
  • March 1, 2017: Added hostname to whitelist for Chrome devices using Android apps
  • January 19, 2017: Removed cache.pack.google.com.
  • September 28, 2016: Added mtalk.google.com.
  • December 2, 2015: Added hostnames to whitelist for single-app kiosk devices.
  • August 5, 2015: Added accounts.gstatic.com.

Hostname whitelist for all Chrome devices

accounts.google.com
accounts.google.[country]1
accounts.gstatic.com
accounts.youtube.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
commondatastorage.googleapis.com
cros-omahaproxy.appspot.com
dl.google.com
dl-ssl.google.com
gweb-gettingstartedguide.appspot.com
m.google.com
omahaproxy.appspot.com
pack.google.com
safebrowsing-cache.google.com
safebrowsing.google.com
ssl.gstatic.com
storage.googleapis.com
tools.google.com
www.googleapis.com
www.gstatic.com

1 For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.

Additional hosts to whitelist

If you're using a Chrome device as a single-app kiosk or the Google Play Store on a Chrome device, you need to whitelist the additional hostnames below for SSL inspection to work correctly.

Hostname whitelist for single-app kiosk devices

If you use single-app kiosk devices, whitelist the following hostnames in addition to the hostnames listed above:

chrome.google.com
clients2.googleusercontent.com
lh3.ggpht.com
lh4.ggpht.com
lh5.ggpht.com
lh6.ggpht.com
mtalk.google.com

Hostname whitelist for Chrome devices using Android apps (Google Play Store)

If you use Android apps on Chrome devices (Google Play Store), whitelist the following hostname in addition to the hostnames listed above under Hostname whitelist for all Chrome devices.

connectivitycheck.android.com

Was this article helpful?
How can we improve it?