Set up TLS (or SSL) inspection on Chrome devices

1) Set up a hostname allowlist

For Chrome devices to work on a domain with TLS inspection (also known as SSL inspection), some hostnames need to be exempt from inspection. This is because certificates can only be imported at the user level and are only honored for user-level traffic. Some device-level traffic doesn’t use the TLS or SSL certificate to protect users against certain kinds of security risks.

To ensure that Chrome devices work with TLS inspection or networks restricting external traffic, you need to allow the following hostnames on your proxy server. For details on how to allow hostnames, check with your web filter provider.

Updates

  • December 16, 2019: Added cloudsearch.googleapis.com to return Google Drive results when searching from the Chrome address bar
  • June 25, 2019: Changed *gvt1.com to *.gvt1.com and added *.1e100.net
  • September 25, 2018: Added chromeos-ca.gstatic.com 
  • July 20, 2018: Added *gvt1.com
  • March 15, 2018: Added policies.google.com
  • December 22, 2017: Added alt*.gstatic.com
  • July 13, 2017: Added accounts.google.[country]
  • March 1, 2017: Added hostname to allowlist for Chrome devices using Android apps
  • January 19, 2017: Removed cache.pack.google.com
  • September 28, 2016: Added mtalk.google.com.
  • December 2, 2015: Added hostnames to allowlist for single-app kiosk devices
  • August 5, 2015: Added accounts.gstatic.com
  • March 3, 2020: Added additional hostnames to allowlist for Google Play
  • August 11, 2020: Added additional hostname to allowlist for all Chrome devices

Hostname allowlist for all Chrome devices

*.1e100.net1
accounts.google.com
accounts.google.[country]2
accounts.gstatic.com
accounts.youtube.com
alt*.gstatic.com3
chromeos-ca.gstatic.com
clients1.google.com
clients2.google.com
clients3.google.com
clients4.google.com
clients2.googleusercontent.com
cloudsearch.googleapis.com
commondatastorage.googleapis.com
cros-omahaproxy.appspot.com
dl.google.com
dl-ssl.google.com
*.gvt1.com
gweb-gettingstartedguide.appspot.com
m.google.com
omahaproxy.appspot.com
pack.google.com
policies.google.com
safebrowsing-cache.google.com
safebrowsing.google.com
ssl.gstatic.com
storage.googleapis.com
tools.google.com
www.googleapis.com
www.gstatic.com

​1 For more information, see What is 1e100.net?

2 For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.

3 If you're running Chrome OS version 62 and you're seeing the error "Network not available," you may need to allow the host alt*.gstatic.com through your firewall on port 80. If this doesn't resolve the issue, see this full list of hosts to allow.

Additional hosts to allow

You need to allow the additional hostnames for TLS inspection to work correctly if you're using:

  • Chrome extensions or apps from the Chrome Web Store on Chrome devices, including single-app kiosk devices.
  • Android apps from the Google Play Store on Chrome devices

Hostname allowlist for Chrome devices using Chrome extensions and apps (Chrome Web Store)

If you use Chrome extensions and apps on Chrome devices (Chrome Web Store), including single-app kiosk devices, allow the following hostnames in addition to the hostnames listed above:

chrome.google.com
clients2.googleusercontent.com
lh3.ggpht.com
lh4.ggpht.com
lh5.ggpht.com
lh6.ggpht.com
mtalk.google.com

Hostname allowlist for Chrome devices using Android apps (Google Play Store)

If you use Android apps on Chrome devices (Google Play Store), allow the following hostname in addition to the hostnames listed above under Hostname allowlist for all Chrome devices.

connectivitycheck.android.com
play.google.com
android.com
google-analytics.com
googleusercontent.com
*gstatic.com 
*.ggpht.com
android.clients.google.com
*.gvt2.com
*.gvt3.com
*.googleapis.com
gcm-http.googleapis.com
gcm-xmpp.googleapis.com
android.googleapis.com
fcm.googleapis.com
fcm-xmpp.googleapis.com
pki.google.com
clients5.google.com
clients6.google.com
connectivitycheck.gstatic.com
www.google.com
 

Was this helpful?
How can we improve it?