Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Untangler
    Join Date
    Sep 2008
    Posts
    75

    Default Trying to Ignore Google Meet

    Hi

    I have been running SSL Inspector successfully for the last 2 weeks with around 65 Windows 10 Pro clients and have only had to create a handful of Ignore rules.

    However I am having a lot of difficulty creating rule(s) to ignore "Google Meet" which does not work with SSL Inspector. It appears to work for about 20 seconds and then complains of a network error. I first painstakingly recorded all the domains that Google Meet uses and created Ignore rules for each one but that didn't help. I then created an Ignore rule with the Condition "SSL Inspector Certificate Subject" = *google*. That appeared to Ignore all the same traffic that my other rules ignored. In other words I believe I am ignoring all the traffic that I can see that Google Meet uses.

    Has anyone had success getting Google Meet to be ignored by SSL Inspector?

    I am assuming that it should be possible to ignore something if you have identified all the domains or SSL Certificate Subjects?

    Thanks

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,175

    Default

    Since you have the curated list, I would try to use [Bypass Rules] to ignore that traffic completely.
    f1assistance likes this.

  3. #3
    Untangler
    Join Date
    Sep 2008
    Posts
    75

    Default

    When I check Bypass Rules it doesn't allow me to specify domain names.

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,175

    Default

    oh duh. sorry for the brain fart. There might be some tortuous way to do that with client tagging.

    But you might want try Web Filter [Pass Sites], along with the SSL Inspector [Ignore Rules]

  5. #5
    Untangler
    Join Date
    Sep 2008
    Posts
    75

    Default

    Quote Originally Posted by Jim.Alles View Post
    oh duh. sorry for the brain fart. There might be some tortuous way to do that with client tagging.

    But you might want try Web Filter [Pass Sites], along with the SSL Inspector [Ignore Rules]
    That's OK. I don't see any blocked URLs that match anything to do with Google Meet. I will have a look at client tagging.

    I'm assuming that one way or another that there should be no reason why I can't bypass or ignore Google Meet so that it is able to work.

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,175

    Default

    Quote Originally Posted by westgj View Post
    That's OK. I don't see any blocked URLs that match anything to do with Google Meet. I will have a look at client tagging.

    I'm assuming that one way or another that there should be no reason why I can't bypass or ignore Google Meet so that it is able to work.
    The pass site idea was hoping to to minimize processing, and it might help to do that kind of thing in each of the apps you have installed.

    client tagging with #config/events/triggers is going to bypass everything on that host for a period of time. Probably not suitable.

    If you can get the list resolved into IP addresses, that would be helpful, but with CDNs that isn't likely to be very successful.

    This is not a NGFW feature. You may up-vote this:
    https://untanglengfirewall.featureupvote.com/suggestions/29004/bypass-by-url

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,175

    Default

    It looks like there is an IP address range IPv4: 74.125.250.0/24
    Other advice here, including avoid QoS (‽)
    https://support.google.com/a/answer/1279090

  8. #8
    Untangler
    Join Date
    Sep 2008
    Posts
    75

    Default

    Thanks so much for all this information. I will have another attempt in the next few days and let everyone know if I have success.

  9. #9
    Untangler
    Join Date
    Sep 2008
    Posts
    75

    Default

    So I have followed the guide https://support.google.com/a/answer/1279090 where it suggests allowing outbound UDP ports 19302​–19309 which I did and now Google Meet works.

    I did not need to create a Bypass Rule 74.125.250.0/24.

    The reason I initially thought the problem was due to SSL Inspector is that when I created an Ignore rule just for my client IP address Google Meet works without adding the outbound firewall rule which is odd.

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,175

    Default

    I participated in a Google meet chat and observed the traffic.

    Some sessions were identified as Google Hangouts by Application Control.
    I saw no sessions with a filter of 74.125.250.

    Apparently there are different flavors of Google Meet (previously Chat or Hangouts).

    NGFW's Firewall app doesn't do any blocking for outbound by default

    Could you post your Firewall rules?
    Last edited by Jim.Alles; 06-17-2020 at 05:40 PM.
    If you think I got Grumpy

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2