Home / How to get Chrome devices to work on a domain with SSL inspection.

How to get Chrome devices to work on a domain with SSL inspection.

For Chrome devices to work on a domain with SSL inspection, some hostnames need to be exempt from inspection. This is because certificates can only be imported at the user level and are only honored for user-level traffic. Some device-level traffic doesn’t use the SSL certificate to protect users against certain kinds of security risks.

To ensure that Chrome devices work with SSL inspection, you need to whitelist the following hostnames on your proxy server. For details on how to whitelist hostnames, check with your web filter provider.

  1. Hostname whitelist for all Chrome devices.
    • accounts.google.com< (1)
    • accounts.google.[country]
    • accounts.gstatic.com
    • accounts.youtube.com
    • alt*.gstatic.com (2)
    • clients1.google.com
    • clients2.google.com
    • clients3.google.com
    • clients4.google.com
    • commondatastorage.googleapis.com
    • cros-omahaproxy.appspot.com
    • dl.google.com
    • dl-ssl.google.com
    • gweb-gettingstartedguide.appspot.com
    • m.google.com
    • omahaproxy.appspot.com
    • pack.google.com
    • policies.google.com
    • safebrowsing-cache.google.com
    • safebrowsing.google.com
    • ssl.gstatic.com
    • storage.googleapis.com
    • tools.google.com
    • www.googleapis.com
    • www.gstatic.com

(1) For accounts.google.[country], use your local top-level domain for [country]. For example, for Australia, use accounts.google.com.au, and for the United Kingdom use accounts.google.co.uk.

(2) If you’re running Chrome OS version 62 and you’re seeing the error “Device cannot connect to any wireless network” or “Network not available,” you may need to whitelist the host alt*.gstatic.com through your firewall on port 80. If this doesn’t resolve the issue, see this full list of hosts to whitelist.

Additional hosts to whitelist
If you’re using a Chrome device as a single-app kiosk or the Google Play Store on a Chrome device, you need to whitelist the additional hostnames below for SSL inspection to work correctly.

Additional Information can be found at these URLs:
http://support.rmgnetworks.com/documentation/ChromeBox%20Whitelisting%20FAQ.docx https://support.google.com/chrome/a/answer/6334001?hl=en
https://support.google.com/chrome/a/answer/3504942?hl=en&ref_topic=3504941

About Stephan Garmon

Client Technical Support Senior Analyst at RMG Networks. Over 10 years of experience with Digital Signage and 20 years in a technical support analyst role.
View all posts by Stephan Garmon