G Suite and Web Proxies
Web Proxies offer many advantages when handling traditional web traffic, however proxies have shown to degrade the G Suite user experience with little to no benefit. Know more.
Most organisation networks utilize an Internet proxy to control and optimize web traffic destined to the Internet. Proxies play an important role in restricting or allowing connections to certain websites, network addresses, protocols, etc. Additionally, web proxies typically cache frequently downloaded content (e.g. images and stylesheets) in order to optimize the use of the company Internet.
Proxies offer many advantages when handling traditional web traffic, however proxies have shown to degrade the G Suite user experience with little to no benefit. This will provide two common ways to identify G Suite related traffic and subsequently route that traffic around the proxy to improve user experience.
2. Reasons to bypass a Proxy
Proxies act as a middleman between a user’s device accessing G Suite and the organisation’s network ingress and egress points. Explicit and implicit proxies intercept every browser request to G Suite, G Suite performance is degraded due to increased latency added by the proxy handling these connections.
Proxies also add an additional layer in troubleshooting issues with G Suite implementations. Since G Suite is a modern web 2.0 application, the first variable to remove in troubleshooting a network related issue is the Proxy.
User experience and speed
The HTTP/1.1 specification allows for a maximum of two connections per hostname for any client. If the browser adheres to the specification, this means client machines can make two connections to the proxy for data. However, if there was no proxy between the user and G Suite, where data and content is hosted on multiple hostnames, users could issue multiple requests, thus increasing the performance. Additionally, like many modern web 2.0 applications, G Suite generates many connections to hosts outside your network causing increased proxy capacity requirements. Proxies must handle the additional load and can become a single point of failure to G Suite users.
Visibility of Encrypted Traffic
Since G Suite HTTP traffic is encrypted using TLS/SSL, proxies provide limited benefits to an enterprise as it relates to G Suite traffic.
Proxies are well suited to handle unencrypted web traffic such as HTTP traffic because the entire content of a user’s request is visible to the proxy.
However, proxies have very limited visibility of encrypted web traffic. For example, if the user visits the encrypted version of Google Search, https://encrypted.google.com/search the proxy will simply tunnel the request to the requested host.
3. G Suite Network Traffic
It is important to understand what G Suite traffic looks like on our network.
Google IPv4 Addresses
The Networking Best Practices guide states that there are a set of Google IPv4 addresses which serve both G Suite and other Google products including consumer products such as Gmail and Picasa.
To acquire this list we can run the “dig” command (or any other DNS tool) to query the “TXT” record for “_netblocks.google.com”.
Google Global Cache (GGC)
The Networking Best Practices guide also reflects that G Suite participates in the Google Global Cache (GGC) in order to deliver Google content and services as close to the users as possible. This means it is likely that connections to Google will be to IP addresses not contained in _netblocks.google.com. With this in mind it is best to supplement IPv4 addresses with wildcarded hostnames in cases of network redirection.
4. Bypassing a proxy
Web Proxies are enforced implicitly through network routing or explicitly through configuration changes to a browser or Operating System. If the proxy is enforced explicitly or implicitly, it will change the method to bypass its use. Below are two common proxy implementations:
4.1 Explicit Proxies
Proxy auto-config files (PAC)
In this example, let’s use the isInNet() (host, pattern, mask) function that enables you to resolve a URL hostname to an IP address and test whether it belongs to the subnet specified by the mask.
When the browser requests a page from a host that makes this function evaluate to true, the configuration file will instruct the browser to use a direct connection to that host. In this case, the machine will use DNS to resolve the IP address of the destination host and use its default gateway to access that host. In most companies, the default gateway will be a router or firewall and is given to the client typically through DHCP. Take special precaution to ensure your clients know how to reach external networks through a default gateway or pre-defined route.
If the function returns false it will send everything to the proxy defined, e.g. “proxy.company.com:8080”.
4.2 Implicit Proxies
If any organization does not make use of a proxy auto-configuration file then an acceptable solution might be to change the route Google destined traffic takes through your network. This can be accomplished by identifying the plx/ destination IPv4 address of IP packets on your network and making decisions to not route that traffic to the web proxy.
Typical proxy redirection is done through Web Cache Communication Protocol and Policy based routing. To route G Suite traffic around proxies through these configurations is simply a matter of creating an exception.
Web Cache Communication Protocol (WCCP)
Most companies today use WCCP to direct their users to a web proxy implicitly. To bypass this try creating a WCCP service group and corresponding access list to direct users accessing the Google IPv4 address to the firewall/gateway. We could use the Google IPv4 addresses from to match the destination IP address and create a redirect-list
If any organization using policies to determine which route certain types of traffic take on your network, e.g. in Cisco IOS function, then create a ‘route-map’ that determines the Google IPv4 addresses and send that traffic directly to your firewall/gateway instead*.
Web Proxies offer many advantages when handling traditional web traffic, however proxies have shown to degrade the G Suite user experience with little to no benefit. This will provide two common ways to identify G Suite related traffic and subsequently route that traffic around the proxy to improve user experience.