Skip to main content
All CollectionsAdministrative Questions
VPN Exemptions for SSL-Pinned Applications
VPN Exemptions for SSL-Pinned Applications

Considerations for SSL-Pinned application compatibility with VPN clients.

Updated over 3 weeks ago

Overview

Our desktop application employs SSL pinning for enhanced security, ensuring that communications with our servers remain secure. However, some VPN clients with SSL inspection enabled—such as ZScaler—may interfere with this mechanism, causing connectivity issues.

To ensure smooth operation, the following domains need to be exempted from SSL inspection:

  • cdn.createwithplay.com

  • api.createwithplay.com

  • dashboard.createwithplay.com

  • *.googleapis.com

  • *.appspot.com

  • *.firebaseio.com

  • accounts.google.com

ZScaler, along with other VPN solutions, provides options to bypass SSL inspection for specific domains. Below are steps for six major VPN clients to allow these domains and ensure compatibility.

Exempting Domains in ZScaler

ZScaler allows administrators to create Custom URL Categories to bypass SSL inspection for specific domains. Follow these steps:

  1. Log into ZScaler Admin Portal

  2. Navigate to "Administration" → "URL Categories"

  3. Click "Add URL Category"

  4. Enter a Name (e.g., "SSL Pinning Exceptions")

  5. Add the required domains listed above

  6. Save and apply the changes

  7. Navigate to "SSL Inspection" settings

  8. Ensure the new category is exempted from SSL Inspection

  9. Deploy the policy updates

Detailed Directions Here

Exempting Domains in Palo Alto GlobalProtect

For users of GlobalProtect with a Palo Alto Networks firewall:

  1. Log into the Palo Alto Networks Admin Interface

  2. Go to "Objects" → "URL Filtering"

  3. Create a new URL Filtering Profile

  4. Add the required domains to the "Allow" list

  5. Navigate to "Policies" → "Decryption"

  6. Create a new decryption rule

  7. Set "Action" to "No Decrypt"

  8. Assign the newly created URL Filtering Profile

  9. Commit and apply the changes

Detailed Directions Here

Exempting Domains in Cisco AnyConnect with Umbrella

For Cisco AnyConnect users leveraging Cisco Umbrella:

  1. Log into the Cisco Umbrella Dashboard

  2. Go to "Policies" → "Policy Settings"

  3. Select the policy you wish to modify

  4. Under "SSL Decryption", click "Manage Exceptions"

  5. Add the required domains to the "Exempted Domains" list

  6. Save and apply the changes

Exempting Domains in NordVPN

NordVPN does not perform deep packet inspection or SSL decryption, but if you experience issues:

  1. Open NordVPN and navigate to "Settings"

  2. Disable "Threat Protection" under the security section

  3. Ensure that "Split tunneling" is enabled and add your application to bypass VPN filtering

  4. Restart the application and test connectivity

Exempting Domains in SurfShark

SurfShark also does not perform SSL inspection, but you can still adjust settings:

  1. Open SurfShark and go to "Settings"

  2. Navigate to "Bypass VPN" (Whitelister)

  3. Add your application or domains to the exception list

  4. Save the settings and restart your application

Exempting Domains in Norton Secure VPN

Norton Secure VPN includes security filters that may interfere with SSL pinning. To resolve this:

  1. Open Norton Secure VPN

  2. Go to "Settings" → "Security Features"

  3. Disable "Web Protection" and "Secure VPN Filter"

  4. Restart your application to check connectivity

Conclusion

If you experience connectivity issues while using a VPN, please check whether your VPN client has SSL inspection enabled. If so, follow the steps above to exempt the necessary domains.

For further assistance, please reach out to your VPN administrator or contact our support team at [email protected].

Did this answer your question?