Skip to content
English
Sign in
Go to securedynamics.net
  • There are no suggestions because the search field is empty.

How to Allow Google Services via Zscaler

How to Allow Google Services via Zscaler (Firewall & Proxy Configuration)

 

 

Overview

To ensure seamless access to Google meet when traffic is routed through a Zscaler Security service, specific firewall and proxy configurations must be implemented.
This article describes the required allow-listing of ports, domains/URIs, and IP address ranges to prevent service disruptions and maintain quality of experience. (Google Help)

❗Why This Is Required

Google services use a combination of web traffic (HTTPS), media traffic (WebRTC/UDP), and specific IP ranges for real-time features like video and audio. Zscaler’s cloud-based security generally proxies and inspects traffic; however, to avoid issues like blocked connections or degraded meeting quality, administrators must configure rules allowing traffic to Google’s required endpoints. (Google Help)

1. Configure Firewall Policy– Ports

Ensure your firewall and Zscaler proxy allow:

Traffic Type Protocol/Ports
Media traffic (audio/video) UDP 3478, UDP 19302–19309

Note: If UDP is blocked, traffic will fall back to TCP on port 443, but this may reduce media quality. (Google Help)

2. Allow Access to Google URI Patterns

If filtering or allowlists are enforced, add the following URI/domain patterns:

Essential Domains for Google Meet


meet.google.com

3. Allow Google IP Address Ranges

Google Meet and Workspace media servers may use dynamic IP address ranges for audio and video traffic:

Recommended IP Ranges

Type Sample IP Ranges
Google Workspace / Meet IPv4 74.125.250.0/24, 74.125.247.128/32
Google Meet Consumer IPv4 142.250.82.0/24
SNI (TLS) workspace.turns.goog, meet.turns.goog

These IPs are subject to change and may vary by region. Always verify against Google’s current published ranges. (Google Help)

4. Zscaler Proxy / PAC File Considerations

  • If using Zscaler Client Connector or PAC files, ensure necessary bypass or direct access rules are applied for the domains/IPs above.

  • Example PAC rule to bypass Zscaler for Google authentication:

if (shExpMatch(host, "meet.google.com")) return "DIRECT";

This helps prevent authentication traffic from being intercepted improperly. (Zscaler Help Center)

 

Additional Notes

✔ Using proxies and deep packet inspection (DPI) may interfere with real-time traffic; where possible, permit direct connections for media traffic. (Google Help)
✔ If your environment inspects TLS traffic (SSL inspection), consider excluding or allowing known Google endpoints to avoid certificate issues. (Google Help)