KB Article | Forcepoint Support

Problem Description

What is QUIC?

  • QUIC is an experimental transport protocol implemented by Google.
  • QUIC is built on UDP, and functions as an alternative to TCP for web connections. It uses port 443.
  • QUIC is currently only supported by Google Chrome, and Opera 16 and later, when connecting to a number of Google-owned web services (such as Google and YouTube).
The QUIC protocol is not supported by the Forcepoint cloud service. QUIC is enabled by default in recent versions of Chrome. In some scenarios, this traffic can bypass the cloud proxy.

Resolution

There are two options to prevent QUIC traffic from bypassing the proxy:
  • Blocking UDP traffic on port 443 via your firewall
  • Disabling QUIC in Google Chrome (either manually or via a registry key)
 Customers should consider blocking QUIC in the following scenarios:
  • For users with Proxy Connect Endpoint or PAC file only deployments, all traffic is directed to the proxy, and QUIC should not be used. However, some customers choose to block the standard TCP ports 80 and 443 in order to prevent accidental data leakage. In this case, customers should ensure that UDP is also blocked on port 443.
  • For organizations directing traffic to the proxy via firewall redirection, IPsec VPN or GRE tunneling, these methods redirect TCP traffic on ports 80 and 443 to the cloud proxy. In these cases, customers should ensure that UDP is blocked on port 443, in order to force traffic over TCP.
  • For roaming users, and users with the Direct Connect endpoint, Forcepoint recommends that you disable the QUIC protocol in Google Chrome using one of the methods detailed below.

How to check if QUIC is enabled in Google Chrome

Depending on your browser and firewall configuration, your organization may be using the QUIC protocol without knowing it. The simplest check whether QUIC is enabled in Chrome is to use Chrome's Developer Tools.

  1. Open Chrome's Developer Tools (Menu > More tools > Developer tools, or Ctrl+Shift+I).
  2. In the Network tab, right click a column heading to include the Protocol column.
  3. Browse to a Google-owned website, such as https://www.google.com.
  4. Check for the entry http/2+quic/39 in the Protocol column. If this entry is present, then Google QUIC is enabled. 

User-added image

Disabling QUIC in Google Chrome

You can manually disable QUIC in Google Chrome using the Experimental QUIC protocol (#enable-quic) flag:
  1. In the address bar, type:  chrome://flags#enable-quic
  2. Set the Experimental QUIC protocol flag to Disabled
  3. Relaunch Chrome for the setting to take effect.
The following Windows registry key (or Mac/Linux preference) can be used to disable QUIC in Chrome, and can be enforced via GPO or equivalent:

Data type:
Boolean [Windows:REG_DWORD]
Windows registry location for Windows clients:
Software\Policies\Google\Chrome\QuicAllowed
Windows registry location for Google Chrome OS clients:
Software\Policies\Google\ChromeOS\QuicAllowed
Mac/Linux preference name:
QuicAllowed
Description:
If this policy is set to true (or not set), usage of QUIC is allowed. If the policy is set to false, usage of QUIC is not allowed.
Recommended value:
Windows: 0x00000000 , Linux: false, Mac: <false />

Supported on:
  • Google Chrome (Linux, Mac, Windows) since version 43
  • Google Chrome OS (Google Chrome OS) since version 43
For more information on this Chrome policy, see the chromium.org website at the following link: Policy List - The Chromium Projects.


Disabling QUIC in Opera

You can manually disable QUIC in Opera using the Experimental QUIC protocol (#enable-quic) flag:

  1. In the address bar, type:  opera://flags
  2. Search for 'QUIC'
  3. Set the Experimental QUIC protocol flag (#enable-quic) to Disabled
  4. Relaunch Opera for the setting to take effect.


keywords:
quic; chrome; opera; cloud; proxy; udp; browser; endpoint; protocol; experimental; google; youtube

Article Feedback



Thank you for the feedback and comments.