KB Article | Forcepoint Support

Problem Description

QUIC is an experimental transport protocol implemented by Google. QUIC is built on UDP, and functions as an alternative to TCP for web connections. It is currently only supported by Google Chrome, when connecting to a number of Google-owned web services (such as Google and YouTube). QUIC is enabled by default in recent versions of Chrome. By default, traffic between Google Chrome and these services is sent using UDP on port 443, and in some scenarios this traffic can bypass the cloud proxy.

Resolution

There are two options to prevent QUIC traffic from bypassing the proxy:
  • Blocking UDP traffic on port 443 via your firewall
  • Disabling QUIC in Google Chrome (either manually or via a registry key)
 Customers should consider blocking the use of QUIC in the following scenarios:
  • For users whose traffic is directed to the cloud service via PAC file, and users with the Proxy Connect endpoint, all traffic is directed to the proxy, and QUIC should not be used. However, some customers choose to block the standard TCP ports 80 and 443 in order to prevent accidental data leakage. In this case, customers should ensure that UDP is also blocked on port 443.
  • For organizations directing traffic to the proxy via firewall redirection, IPsec VPN or GRE tunneling, these methods redirect TCP traffic on ports 80 and 443 to the cloud proxy. In these cases, customers should ensure that UDP is blocked on port 443, in order to force traffic over TCP.
  • For roaming users, and users with the Direct Connect endpoint, Forcepoint recommends that you disable the QUIC protocol in Google Chrome using one of the methods detailed below.

Disabling QUIC in Google Chrome

You can manually disable QUIC in Google Chrome using the Experimental QUIC protocol (#enable-quic) flag:
  1. In the address bar, type:  chrome://flags#enable-quic
  2. Set the Experimental QUIC protocol flag to Disabled
  3. Relaunch Chrome for the setting to take effect.
The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:

Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\QuicAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuicAllowed
Mac/Linux preference name:
QuicAllowed
Description:
If this policy is set to true (or not set), usage of QUIC is allowed. If the policy is set to false, usage of QUIC is not allowed.
Recommended value:
Windows: 0x00000000 , Linux: false, Mac: <false />

Supported on:
  • Google Chrome (Linux, Mac, Windows) since version 43
  • Google Chrome OS (Google Chrome OS) since version 43
For more information on this Chrome policy, see the chromium.org website at the following link: Policy List - The Chromium Projects.
 

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more