There are two options to prevent QUIC traffic from bypassing the proxy:
- Blocking UDP traffic on port 443 via your firewall
- Disabling QUIC in Google Chrome (either manually or via a registry key)
Customers should consider blocking QUIC in the following scenarios:
- For users with Proxy Connect Endpoint or PAC file only deployments, all traffic is directed to the proxy, and QUIC should not be used. However, some customers choose to block the standard TCP ports 80 and 443 in order to prevent accidental data leakage. In this case, customers should ensure that UDP is also blocked on port 443.
- For organizations directing traffic to the proxy via firewall redirection, IPsec VPN or GRE tunneling, these methods redirect TCP traffic on ports 80 and 443 to the cloud proxy. In these cases, customers should ensure that UDP is blocked on port 443, in order to force traffic over TCP.
- For roaming users, and users with the Direct Connect endpoint, Forcepoint recommends that you disable the QUIC protocol in Google Chrome using one of the methods detailed below.
How to check if QUIC is enabled in Google Chrome
Depending on your browser and firewall configuration, your organization may be using the QUIC protocol without knowing it. The simplest check whether QUIC is enabled in Chrome is to use Chrome's Developer Tools.
- Open Chrome's Developer Tools (Menu > More tools > Developer tools, or Ctrl+Shift+I).
- In the Network tab, right click a column heading to include the Protocol column.
- Browse to a Google-owned website, such as https://www.google.com.
- Check for the entry http/2+quic/39 in the Protocol column. If this entry is present, then Google QUIC is enabled.
Disabling QUIC in Google Chrome
You can manually disable QUIC in Google Chrome using the Experimental QUIC protocol
- In the address bar, type: chrome://flags#enable-quic
- Set the Experimental QUIC protocol flag to Disabled
- Relaunch Chrome for the setting to take effect.
The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:Data type:
Windows registry location for Windows clients:
Windows registry location for Google Chrome OS clients
Mac/Linux preference name
If this policy is set to true (or not set), usage of QUIC is allowed. If the policy is set to false, usage of QUIC is not allowed.
Windows: 0x00000000 , Linux: false, Mac: <false />
- Google Chrome (Linux, Mac, Windows) since version 43
- Google Chrome OS (Google Chrome OS) since version 43
For more information on this Chrome policy, see the chromium.org website at the following link: Policy List - The Chromium Projects
Disabling QUIC in Opera
You can manually disable QUIC in Opera using the Experimental QUIC protocol (#enable-quic) flag:
- In the address bar, type: opera://flags
- Search for 'QUIC'
- Set the Experimental QUIC protocol flag (#enable-quic) to Disabled
- Relaunch Opera for the setting to take effect.
quic; chrome; opera; cloud; proxy; udp; browser; endpoint; protocol; experimental; google; youtube