Google thick clients for Desktop fails through Cloudsoc

book

Article ID: 220455

calendar_today

Updated On:

Products

CASB Gateway

Issue/Introduction

Google's thick clients like Google Drive for Desktop or Google Chat, fail when passing through Cloudsoc (or WSS).

 

 

Cause

The main reason is the certificate pinning, where those agents are shipped with a predefined trust store. 

The gateway traffic needs to be intercepted using an emulated certificate for inspection and processing which causes the SSL handshake to fail since the certificates used for Cloudsoc or WSS are not defined on those agents.

Environment

Gateway traffic through WSS on any deployment (WSS Agent, or Proxy chaining)

Resolution

Google offers a list of registry keys to change the default behavior,

to give an example, here are a few helpful keys for Google Drive:

key path: HKEY_LOCAL_MACHINE\Software\Google\DriveFS

Keys to be used:

TrustedRootCertsFile (string) : using this key, Google Drive can be configured to trust the root certificate of WSS. download the certificate and add the path here

DisableSSLValidation (DWORD): another option to explore is to disable the SSL validation altogether, this key can be used in labs for testing and QA though it is not recommended in production, it is an insecure solution and can open up the environment for security issues.

Additional Information

https://support.google.com/a/answer/7644837?hl=en