Google Drive fails through the Web Security Service (WSS) with SSL Interception enabled
search cancel

Google Drive fails through the Web Security Service (WSS) with SSL Interception enabled

book

Article ID: 165792

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

When SSL Interception is enabled on the Cloud Secure Web Gateway portal, the following occurs: 

  • Google Drive cannot connect
  • Google Drive fails to sign on
  • Google Drive fails to sync files

Cause

Certificate pinning dependencies with the Google Drive application

Resolution

Add the Google Drive IP addresses and domains as SSL Interception exemptions (to bypass the Google Drive content from being SSL intercepted).

The following workaround in the WSS Portal enables the Google Drive application to pass through the WSS service without being SSL inspected.

You need to edit the TLS/SSL interception bypass list in the WSS portal:

Policy -> TLS/SSL Interception -> TLS/SSL Interception Policy -> Add Rule (button)

Select "Do Not Intercept" and add the following subnets in the destination list:

  • 173.194.79.0/24 (resolves from upload.drive.google.com)
  • 74.125.129.0/24 (resolves from upload.drive.google.com)
  • 208.187.128.0/24 (resolves from client(#).google.com)
Note! This subnet range might also be used in resolving youtube.com, which might affect other policy specific to youtube.com

Also add these Google Drive IP's and domains to the SSL Interception exemption list: 

If the above IP addresses and domains do not solve the problem, it might be necessary to expand the subnets to a /16.

If that subnet expansion still fails, it might be necessary to determine what additional IP addresses that Google Drive is resolving and connecting to.

Another document that provides similar information regarding Google Drive not working through a proxy is:

(ProxySG) Google Drive access breaks when SSL Interception is enabled in ProxySG

Note! Adding IP ranges to an SSL Interception exemption list does not allow unrestricted access to the sites in those IP ranges.  This traffic is still passed through the WSS service and is logged by WSS.  The IP addresses are rated (even though SSL interception is bypassed) and that rating is evaluated against policy.

Additional Information

If adding the above SSL exemptions fails to address the issue, there are a few additional options to identify other domains we may need to bypass: 

  1. Run Fiddler on the WSS Agent host and track the Google Drive application for other domains being accessed, then add these domains to the SSL Interception exemption list to verify whether behavior changes.
  2. Download SymDiag and run it when duplicating the issue.

After saving the SymDiag output, use the SymDiag Viewer (also available from the same SymDiag download link) to view the saved file.

From here, you can review the WssaInTunnelTrace.pcap shown below, which includes all the traffic going through your WSSA tunnel.

You can also verify what additional domains the Google Drive application is going to, and then add those domains to your SSL bypass list: