Google Hangouts stop working when going through Edge SWG (formerly ProxySG)
Article ID: 259728
Updated On:
Products
Issue/Introduction
Google Hangouts is having connectivity issues. The site will connect but then drops off after a certain amount of time.
Environment
Explicit or Transparent Proxy
Cause
Google Hangouts recommends to avoid proxies, packet inspection, protocol analyzers, and quality of service (QoS) for better performance. For media(audio/video) they recommend to use UDP (Proxy doesn't handle UDP so it should go directly to google infrastructure). TCP will be used if these UDP ports are blocked.
As per Google, Proxying the meet traffic adds latency and can cause Hangout to automatically reduce the video and audio quality. I would follow their recommendation to allow access to Meet's media servers using the following set of IP ranges: IPv4: 142.250.82.0/24
Resolution
As indicated by Google, SSL Interception breaks Google Hangouts and so we must disable SSL Interception on the Proxy.
Solution for Explicit and Transparent Deployments on Proxies
;===========For Explicit Deployments ===========================================
Add the following CPL. Go to Policy Files > Local File Text Editor and copy+paste the following:
<proxy>
client.address=192.168.104.10 Condition=Google_Meet authenticate(no) detect_protocol(none) Allow
define condition Google_Meet
url.domain="accounts.google.com"
url.domain="apis.google.com"
url.domain="appspot.com"
url.domain="client-channel.google.com"
url.domain="clients1.google.com"
url.domain="clients2.google.com"
url.domain="clients3.google.com"
url.domain="clients4.google.com"
url.domain="clients5.google.com"
url.domain="clients6.google.com"
url.domain="googleapis.com"
url.domain="pis.google.com"
url.domain="video.google.com"
url.domain="gstatic.com"
url.domain="lh3.googleusercontent.com"
url.domain="meetings.clients6.google.com"
url.address=74.125.250.0/24
end
;========================================================================================================================================
For Transparent Deployments follow below
Option 1: Static Bypass based on source:clientIP and destination:74.125.250.0/24
Option 2: Add the following CPL. Go to Policy Files > Local File Text Editor and copy+paste the following:
<ssl-intercept>
condition=Internal_IP Condition=Google_Meet ssl.forward_proxy(no)
define condition Internal_IP
client.address=1.1.1.1
client.address=2.2.2.2
end
define condition Google_Meet
url.domain="accounts.google.com"
url.domain="apis.google.com"
url.domain="appspot.com"
url.domain="client-channel.google.com"
url.domain="clients1.google.com"
url.domain="clients2.google.com"
url.domain="clients3.google.com"
url.domain="clients4.google.com"
url.domain="clients5.google.com"
url.domain="clients6.google.com"
url.domain="googleapis.com"
url.domain="pis.google.com"
url.domain="video.google.com"
url.domain="gstatic.com"
url.domain="lh3.googleusercontent.com"
url.domain="meetings.clients6.google.com"
url.address=74.125.250.0/24
end
replace below with actual client machine IPs
client.address=1.1.1.1
client.address=2.2.2.2
Option 3: Create a policy in SSL Interception Layer. Source is your internal subnet's allowed. In Destination, add all those URLs along with Google's ip subnet. Action is to disable SSL Interception.
Feedback
