Umbrella customers who are using AnyConnect Secure Mobility Client + Secure Web Gateway (SWG) may find that they need to disable the QUIC protocol within their Google Chrome settings in order to avoid encountering issues such as Google related pages not displaying correctly, Youtube videos not loading as expected, or issues where application enforcement fails to apply.
You may see an error similar to the one in the screenshot below, for example.
Google Chrome uses QUIC to connect to all google services by default. As such all requests to google services via the Google Chrome browser use UDP instead of TCP. Therefore the AnyConnect Secure Mobility Client will not intercept these requests and therefore the proxy will not see them.
Currently a default Chrome installation is not fully supported for Google Products with SWG at this time. QUIC must be disabled. Application controls and page loads may not function as expected without disabling QUIC.
QUIC in Google Chrome
Symptoms of QUIC enabled on Google Chrome
- Google sites may fail to load
- SWG settings for Google sites may fail to apply
- Application Control
- Advanced Application Control (like uploads)
- Policy enforcement
Disabling QUIC in Google Chrome
For more information on disabling QUIC on a managed device, see https://support.google.com/chrome/a/answer/7649838?hl=en. You can manually disable QUIC in Google Chrome using the Experimental QUIC protocol (#enable-quic) flag:
- In the address bar, type: chrome://flags#enable-quic
- Set the Experimental QUIC protocol flag to Disabled
- Relaunch Chrome for the setting to take effect.
The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:
Windows registry location for Windows clients:
Windows registry location for Google Chrome OS clients:
Mac/Linux preference name:
Windows: 0x00000000 , Linux: false, Mac: <false />
Blocking QUIC on your Firewall
You can also block QUIC protocol on the firewall – this will either be by blocking UDP 443 (via port) or blocking QUIC by application name (if the Firewall supports L7). In both cases, you will need to allow Umbrella-related IP addresses from your firewall rules to facilitate encrypted DNS: Secure Web Gateway's IP List and Domains to Allow in Customer Firewalls.