How to Exclude Gmail (mail.google.com) from DPI-SSL Client Inspection
03/26/2020 386 18523
Google uses a single wildcard certificate with a CN of *.google.com for all their services like YouTube.com, Google.com etc. The individual domain names are present in the Subject Alt Name (SAN) field of the certificate. Due to this, in previous deployments of DPI-SSL, it was not possible to include or exclude an individual domain from DPI-SSL inspection.
In SonicOS 6.2.5.x firmware, with its DPI-SSL enhancements, it is now possible to exclude or include domains using either the Server Name present in the Server Name Indication (SNI) of the Client Hello or by domain names present in the SAN extension of the Certificate.
This KB article describes how to exclude Gmail.com (mail.google.com) from DPI-SSL inspection without affecting content decryption and inspection of other Google services.
Here's how to add Google Domains to the DPI-SSL Exclusions:
Log in to the SonicWall GUI
Go to the Manage tab
Go to Deep Packet Inspection | SSL Client Deployment
Navigate to the Common Name tab
Click on Add
Enter the following Common Names:
Set Action to Exclude
Click on OK
From a host behind the SonicWall, go to gmail.com or mail.google.com. The site must show its certificate as issued by a public CA.