Google Chrome search is not blocked by policy in transparent deployment

book

Article ID: 168626

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Policy is configured to block access to the entire Google domain. When an internal user tries to search using Microsoft Internet Explorer or Mozilla Firefox, the search is blocked, but when the user types a search string in the address bar in Google Chrome, the browser displays search results.

Cause

QUIC (Quick UDP Internet Connections, pronounced "quick") is an experimental transport layer network protocol developed by Google that supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP).

When a search string is provided in the browser address bar, Chrome tries to send the request through UDP. The client side/proxy side PCAP shows UDP traffic and lines such as the following:

1    0.002262    192.168.158.102            64.233.167.94         UDP           Source port: 55705  Destination port: https
2    0.050983    64.233.167.94              192.168.158.102       UDP           Source port: https  Destination port: 55705

Resolution

The appliance does not intercept UDP traffic in a transparent deployment, so the firewall must either allow or deny it; the appliance has no control over this connection.
 
For more information about QUIC protocol, refer to http://en.wikipedia.org/wiki/QUIC.