How to Exclude Gmail (mail.google.com) from DPI-SSL Client Inspection
Description
Google uses a single wildcard certificate with a CN of *.google.com for all their services like YouTube.com, Google.com etc. The individual domain names are present in the Subject Alt Name (SAN) field of the certificate. Due to this, in previous deployments of DPI-SSL, it was not possible to include or exclude an individual domain from DPI-SSL inspection.
In SonicOS 6.2.5.x firmware, with its DPI-SSL enhancements, it is now possible to exclude or include domains using either the Server Name present in the Server Name Indication (SNI) of the Client Hello or by domain names present in the SAN extension of the Certificate.
This KB article describes how to exclude Gmail.com (mail.google.com) from DPI-SSL inspection without affecting content decryption and inspection of other Google services.
Resolution
Here's how to add Google Domains to the DPI-SSL Exclusions:
- Log in to the SonicWall GUI
- Go to the Manage tab
- Go to Deep Packet Inspection | SSL Client Deployment
- Navigate to the Common Name tab
- Click on Add
- Enter the following Common Names:
- googleuser.content.com
- accounts.youtube.com
- accounts.google.com
- mail.google.com
- www.gmail.com
- gstatic.com
- googleusercontent.com
-
- Set Action to Exclude
- Click on OK
Testing
From a host behind the SonicWall, go to gmail.com or mail.google.com. The site must show its certificate as issued by a public CA.