Set up TLS (or SSL) inspection on Chrome devices
1) Set up a hostname whitelist
For Chrome devices to work on a domain with TLS inspection (also known as SSL inspection), some hostnames need to be exempt from inspection. This is because certificates can only be imported at the user level and are only honored for user-level traffic. Some device-level traffic doesn’t use the TLS or SSL certificate to protect users against certain kinds of security risks.
To ensure that Chrome devices work with TLS inspection, you need to whitelist the following hostnames on your proxy server. For details on how to whitelist hostnames, check with your web filter provider.
- December 16, 2019: Added cloudsearch.googleapis.com to return Google Drive results when searching from the Chrome address bar
- June 25, 2019: Changed *gvt1.com to *.gvt1.com and added *.1e100.net
- September 25, 2018: Added chromeos-ca.gstatic.com
- July 20, 2018: Added *gvt1.com
- March 15, 2018: Added policies.google.com
- December 22, 2017: Added alt*.gstatic.com
- July 13, 2017: Added accounts.google.[country]
- March 1, 2017: Added hostname to whitelist for Chrome devices using Android apps
- January 19, 2017: Removed cache.pack.google.com
- September 28, 2016: Added mtalk.google.com.
- December 2, 2015: Added hostnames to whitelist for single-app kiosk devices
- August 5, 2015: Added accounts.gstatic.com
Hostname whitelist for all Chrome devices
1 For more information, see What is 1e100.net?
2 For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia use accounts.google.com.au, and for United Kingdom use accounts.google.co.uk.
3 If you're running Chrome OS version 62 and you're seeing the error "Network not available," you may need to whitelist the host alt*.gstatic.com through your firewall on port 80. If this doesn't resolve the issue, see this full list of hosts to whitelist.
Additional hosts to whitelist
If you're using a Chrome device as a single-app kiosk or the Google Play Store on a Chrome device, you need to whitelist the additional hostnames below for TLS inspection to work correctly.
Hostname whitelist for single-app kiosk devices
If you use single-app kiosk devices, whitelist the following hostnames in addition to the hostnames listed above:
Hostname whitelist for Chrome devices using Android apps (Google Play Store)
If you use Android apps on Chrome devices (Google Play Store), whitelist the following hostname in addition to the hostnames listed above under Hostname whitelist for all Chrome devices.