Security

Our current list of allowd Google destinations is fairly extensive, but Im sure was put together from various posts, kb articles or TAC advice... but we are again seeing issues, so not sure if something has been changed.

Although activated android devices can be onboarded ok, if you try to set up a new one, you arent able to set up a google account, the page simply doesnt display to allow you to do this.  This must vary from device to device, as some seem to work ok, but a recent batch of Samsung Galaxy Tab A's wont.  You go to set up your google account, and just get a blank page... 

Are we missing something from this list, although I rather suspect some of what is on it doesnt even need to be on it, but it had been working fine...

Im sure you even used to be able to install QuickConnect without have a google account set up on the device, but you cant do this either, as this also presents you with the Google Account page, which cant sign in as it has a problem communicating with the Servers.. so we must be missing something off this list.

I'm sharing a list for Play/iTunes from a recent project we just completed..... Now I'm now sure how this can/may/will change outside of NA and the effects of regional CDN's but the below was a list from like two week back.

Id hoped that would fix it, its an extensive list thanks!.. but I just get a page saying "Just a sec..." then... "there was a problem communicating with Google Servers".

Ive monitored the conneciton on our firewall, and see nothing being blocked.. so I can only assume whatever is trying to happen, isnt getting that far... 

What ports are you allowing for the above list?

Update...

Ok, so after some further investigation.. If I try to onboard my device that already has a google account setup, I can get to the play store, install quickconnect and onboard.. happy days.. but this was always the case.  What I cant do is go to Accounts and set up a new google account, it just cant talk to the google servers.  On one device it stated it couldnt get to accounts.google.com, so I added that, and I also did a packet capture on one device and saw nearly all the traffic generated when trying to add an account go to the already added 1e100.net domain, but still wont work.

Head, bang, brick wall!

Could someone who has a similar setup test to see if they can add a Google account to their device, whicnt in the captive portal role, pre suthentication?  The two devices I have tried both do the same and fail to display to Google Account login page.  They are running 5.0.2.

Adding that list does allow a fair bit of access to "google", inlcuding the ability to accesss the play store, however, this can only be done with a google account that we cant set up during this process.

Could this be anything to do with HSTS and captive portals??

If Im in the captiveportal role, which has the above list applied to both the cp whitelist and the user role.. I can access alot of google due to the above exceptions, but I cant actually sign into to a google account or create a new one. 

I had assumed that adding this list to the CP whitelist would essentially bypass the hsts issue, but it seems not for signing in/creating accounts.  I get an error about not being able to connect to accounts.google.com, and when I look at the extra info, it reference HSTS, despit the fact that I have added this domain to the list.

Is anyone able to test/confirm that when they are in the captive portal role that they cant add a google account to their device?