How to Exclude Gmail (mail.google.com) from DPI-SSL Client Inspection

03/26/2020 391 People found this article helpful 106,452 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

Google uses a single wildcard certificate with a CN of *.google.com for all their services like YouTube.com, Google.com etc. The individual domain names are present in the Subject Alt Name (SAN) field of the certificate. Due to this, in previous deployments of DPI-SSL, it was not possible to include or exclude an individual domain from DPI-SSL inspection. 

In SonicOS 6.2.5.x firmware, with its DPI-SSL enhancements, it is now possible to exclude or include domains using either the Server Name present in the Server Name Indication (SNI) of the Client Hello or by domain names present in the SAN extension of the Certificate. 

This KB article describes how to exclude Gmail.com (mail.google.com) from DPI-SSL inspection without affecting content decryption and inspection of other Google services. 

Resolution

Here's how to add Google Domains to the DPI-SSL Exclusions:

1. Log in to the SonicWall GUI
2. Go to the Manage tab
3. Go to Deep Packet Inspection | SSL Client Deployment
4. Navigate to the Common Name tab
5. Click on Add
6. Enter the following Common Names:
   • googleuser.content.com
   • accounts.youtube.com
   • accounts.google.com
   • mail.google.com
   • www.gmail.com
   • gstatic.com 
   • googleusercontent.com
7. Set Action to Exclude
8. Click on OK

Testing

From a host behind the SonicWall, go to gmail.com or mail.google.com. The site must show its certificate as issued by a public CA.

Related Articles

• SSL Control and DPI-SSL Compatibility
• FIPS Mode: Radius protected with IPSEC VPN
• Maximum DHCP Leases

Categories

• Firewalls > NSa Series > Client/Server DPI-SSL
• Firewalls > NSv Series > Client/Server DPI-SSL
• Firewalls > TZ Series > DPI-SSL