Set up TLS (or SSL) inspection on Chrome devices

Set up a hostname allowlist

For ChromeOS and Chrome Enterprise Core devices to work on a domain with TLS inspection (also known as SSL inspection), some hostnames need to be exempt from inspection. This is because certificates can only be imported at the user level and are only honored for user-level traffic. Some device-level traffic doesn’t use the TLS or SSL certificate to protect users against certain kinds of security risks.

Updates to the hostname allowlist

  • Oct 29, 2024: Added additional hostname, aratea-pa.googleapis.com, to allowlist for all devices.

Expand the list to view previous updates.

Previous updates

  • August 20, 2024: Added additional hostnames, www.gstatic.com and ssl.gstatic.com, to allowlist for ChromeOS sign-in.
  • May 10, 2024: Added additional hostname, edgedl.me.gvt1.com, to allowlist for all devices. Also provided further details for these hostnames:

    accounts.google.com
    accounts.google.[country]
    chromeos-ca.gstatic.com
    clients3.google.com
    connectivitycheck.gstatic.com
    dl.google.com
    m.google.com
    tools.google.comaccounts.google.com

  • March 12, 2024: Added additional hostname, alkalichromeosflexhwis2-pa.googleapis.com, to allowlist for all devices
  • August 17, 2023: Added additional hostname, youtubeeducation.com, to allowlist for all devices
  • January 16, 2023: Added additional hostname to allowlist for Feedback App search functionality
  • July 20, 2022: Added additional hostnames to allowlist for Safe Browsing endpoints
  • February 1, 2022: Added additional hostnames to allowlist for all devices
  • July 26, 2021: Added additional hostnames to allowlist for devices using Chrome extensions and apps (Chrome Web Store)
  • April 21, 2021: Added additional hostnames to allowlist for all devices
  • February 20, 2021: Added additional hostnames to allowlist for all devices
  • August 11, 2020: Added additional hostname to allowlist for all devices
  • March 3, 2020: Added additional hostnames to allowlist for Google Play
  • December 16, 2019: Added cloudsearch.googleapis.com to return Google Drive results when searching from the Chrome address bar
  • June 25, 2019: Changed *gvt1.com to *.gvt1.com and added *.1e100.net
  • September 25, 2018: Added chromeos-ca.gstatic.com
  • July 20, 2018: Added *gvt1.com
  • March 15, 2018: Added policies.google.com
  • December 22, 2017: Added alt*.gstatic.com
  • July 13, 2017: Added accounts.google.[country]
  • March 1, 2017: Added hostname to allowlist for devices using Android apps
  • January 19, 2017: Removed cache.pack.google.com
  • September 28, 2016: Added mtalk.google.com
  • December 2, 2015: Added hostnames to allowlist for single-app kiosk devices
  • August 5, 2015: Added accounts.gstatic.coms

Hostname allowlist for all ChromeOS and Chrome Enterprise Core devices

To ensure that devices work with TLS inspection or networks restricting external traffic, you need to allow the following hostnames on your proxy server. For details on how to allow hostnames, check with your network administrator.

Open all  |  Close all

Auto-updates
Google endpoints
Description
tools.google.com Omaha URL that returns the update configuration (including a list of payload URLs).
edgedl.me.gvt1.com

URLs to download update payloads.

dl.google.com
Enrollment
Google endpoints
Description
m.google.com The device management server used for enrollment and enterprise policy fetches.
clients3.google.com Used to sync the system clock. This is required to generate a key, based on the current time, used by the device management server backend.
www.googleapis.com OAuth scope for server management. The full path is www.googleapis.com/auth/chromeosdevicemanagement, but filtering by path is not supported.
Google endpoints
Description
accounts.google.com
accounts.google.[country]
Google sign-in page.

For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for the United Kingdom use accounts.google.co.uk.

www.google.com OAuth2 scope for login. The full path is www.google.com/accounts/OAuthLogin, but filtering by path is not supported.
www.googleapis.com OAuth2 scope for access for Google APIs.

www.gstatic.com
ssl.gstatic.com

Required for downloading sign-in page contents such as Javascript and CSS assets.
Zero-touch Enrollment/Forced re-enrollment
Google endpoints
Description
chromeos-ca.gstatic.com Google Attestation Certificate Authority (ACA) server. Used to verify the identity of the device and retrieve enrollment certificates.
clients3.google.com Used to sync the system clock. This is required to verify the certificate and determine enrollment status.
m.google.com The device management server used for enrollment and enterprise policy fetches.
www.gstatic.com Used to check the enrollment status.
Captive portal detector

The captive portal detector on ChromeOS uses two probes: one HTTP and one HTTPS probe. The main URLs are in the left column of this table. If those URLs are blocked, then the portal detector will fall back to the alternative URLs in the right column of this table. It is sufficient to allow one HTTP and one HTTPS URL to bypass the firewall, either main or alternative. The only difference is that falling back to an alternative URL is slower.

Google endpoints
Description
http://connectivitycheck.gstatic.com ChromeOS default HTTP probe URL.
Alternatives:
  • http://www.play.googleapis.com/generate_204
  • http://www.gstatic.com/generate_204
  • http://safebrowsing.google.com/generate_204
  • http://www.googleapis.com/generate_204
https://www.google.com ChromeOS default HTTPS probe URL.
Alternatives:
  • https://www.gstatic.com/generate_204
  • https://accounts.google.com/generate_204
  • https://www.googleapis.com/generate_204
http://www.gstatic.com Chrome browser captive portal check. Note the HTTP protocol.
Other recommended hostname allowlists

*.1e100.net1
accounts.gstatic.com
accounts.youtube.com
alkalichromeosflexhwis2-pa.googleapis.com2
alt*.gstatic.com3
aratea-pa.googleapis.com
chromeosquirksserver-pa.googleapis.com
clients1.google.com
clients2.google.com
clients4.google.com
clients2.googleusercontent.com
cloudsearch.googleapis.com
commondatastorage.googleapis.com
cros-omahaproxy.appspot.com
dl-ssl.google.com
enterprise-safebrowsing.googleapis.com
firebaseperusertopics-pa.googleapis.com
*.googleusercontent.com
*.gvt1.com
gweb-gettingstartedguide.appspot.com
mtalk.google.com
omahaproxy.appspot.com
pack.google.com
policies.google.com
printerconfigurations.googleusercontent.com
safebrowsing-cache.google.com
safebrowsing.google.com
safebrowsing.googleapis.com
sb-ssl.google.com
scone-pa.clients6.google.com
ssl.gstatic.com
storage.googleapis.com
www.googleapis.com

1 For more information, see What is 1e100.net?

2 For ChromeOS Flex devices only.

3 If you're running ChromeOS version 62 and you're seeing the error "Network not available," you may need to allow the host alt*.gstatic.com through your firewall on port 80. If this doesn't resolve the issue, see this full list of hosts to allow.

Additional hosts to allow

You need to allow the additional hostnames for TLS inspection to work correctly if you're using:

  • Chrome extensions or apps from the Chrome Web Store on devices, including single-app kiosk devices.
  • Android apps from the Google Play Store on devices

Hostname allowlist for ChromeOS and Chrome Enterprise Core devices using Chrome extensions and apps (Chrome Web Store)

If you use Chrome extensions and apps on devices (Chrome Web Store), including single-app kiosk devices, allow the following hostnames in addition to the hostnames listed above:

chrome.google.com
clients2.googleusercontent.com
lh3.ggpht.com
lh4.ggpht.com
lh5.ggpht.com
lh6.ggpht.com
update.googleapis.com
update.googleapis.com/service/update2/json

Hostname allowlist for ChromeOS and Chrome Enterprise Core devices using Android apps (Google Play Store)

If you use Android apps on devices (Google Play Store), allow the following hostnames in addition to the hostnames listed above under Hostname allowlist for all ChromeOS and Chrome Enterprise Core devices.

connectivitycheck.android.com
play.google.com
android.com
google-analytics.com
googleusercontent.com
*gstatic.com
*.ggpht.com
android.clients.google.com
*.gvt2.com
*.gvt3.com
*.googleapis.com
gcm-http.googleapis.com
gcm-xmpp.googleapis.com
android.googleapis.com
fcm.googleapis.com
fcm-xmpp.googleapis.com
pki.google.com
clients5.google.com
clients6.google.com
connectivitycheck.gstatic.com
www.google.com

Hostname allowlist for ChromeOS and Chrome Enterprise Core devices with Chrome Education Upgrade

If you use YouTube Player for Education in Google Classroom, allow the following hostname in addition to the hostnames listed above under Hostname allowlist for all ChromeOS and Chrome Enterprise Core devices. For more details, see The next chapter for Learning on YouTube.

youtubeeducation.com

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
16140917056498654750