Hot!Allow access to office 365

Author
danto
Bronze Member
  • Total Posts : 35
  • Scores: 1
  • Reward points: 0
  • Joined: 2012/09/04 02:06:51
  • Location: Bucharest
  • Status: offline
2013/08/08 06:22:29 (permalink)
4 (1)

Allow access to office 365

Hi,

I have a strange situation. I have to implement webfilter to a client and he wants to inspect HTTPS traffic as well.

The problem is that once the web filter is applied to HTTPS as well the client' s mail(the use office365) and Lync doesn' t work, because they use HTTPS ports as well.

I want to create a rule for the specific traffic that the webfilter profile should not be used, but there is no specific address or fqdn for the destination, as the user configure their outlook to connect to autodiscover.client.com and the server is not always the same. I have raised a ticket to microsoft for the list of the servers and the answer came like this:

*.microsoftonline.com
*.microsoftonline-p.net
*.microsoftonline-p.com
*.microsoftonlineimages.com
*.microsoftonlinesupport.net¹
*.msecnd.net
*.msocdn.com
*.office.net
*.office365.com
*.officeapps.live.com
*.outlook.com

Any ideea how to bypass the inspection?

Thanks.
#1

11 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8466
    • Scores: 201
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    RE: Allow access to office 365 2013/08/08 06:28:24 (permalink)
    0
    Create address entities for all those destinations using the FQDN setting (Fully Qualified Domain Name), then either put them all in the destination of a policy, or create a group (much neater), and use that group as the destination. This policy needs to be before the general Internet usage policy in the list. From this point on, any traffic destined to any of those servers will go through this new policy.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #2
    danto
    Bronze Member
    • Total Posts : 35
    • Scores: 1
    • Reward points: 0
    • Joined: 2012/09/04 02:06:51
    • Location: Bucharest
    • Status: offline
    RE: Allow access to office 365 2013/08/08 07:06:29 (permalink)
    0
    Hi,

    This is exactly what is wanted to do, but does it work with *.outlook.com for example? It will match for example phbiubl456@outlook.com with fqdn?

    Meanwhile I created an url exempt for these domains in the webfilter profile. I am waiting to test it

    Thanks.
    #3
    Dave Hall
    Expert Member
    • Total Posts : 1641
    • Scores: 174
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    RE: Allow access to office 365 2013/08/08 07:21:14 (permalink)
    0
    In addition to what Bob posted, there are Application Sensors for Lync and I' m pretty sure for MS Exchange as well, that you can apply to either the existing fw policy or the new one (as Bob indicated) with FQDNs, allowing that kind of traffic through.
    post edited by Dave Hall - 2014/10/28 06:16:05

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #4
    Dave Hall
    Expert Member
    • Total Posts : 1641
    • Scores: 174
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    RE: Allow access to office 365 2013/08/08 07:27:24 (permalink)
    0
    This is exactly what is wanted to do, but does it work with *.outlook.com for example? It will match for example phbiubl456@outlook.com with fqdn?

    FQDNs have to be fully resolvable host names. A FQDN for phbiubl456@outlook.com would be the " outlook.com" part. In the case of multiple IPs for same host name, the fgt is smart enough to include those too (at least in my own testing it does).

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #5
    rwpatterson
    Expert Member
    • Total Posts : 8466
    • Scores: 201
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    RE: Allow access to office 365 2013/08/08 07:41:57 (permalink)
    0
    ORIGINAL: danto

    Hi,

    This is exactly what is wanted to do, but does it work with *.outlook.com for example? It will match for example phbiubl456@outlook.com with fqdn?

    Meanwhile I created an url exempt for these domains in the webfilter profile. I am waiting to test it

    Thanks.

    Just use ' outlook.com' . The FGT will accept any domain below that.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #6
    Wayne1
    Gold Member
    • Total Posts : 198
    • Scores: 4
    • Reward points: 0
    • Joined: 2004/03/11 08:04:32
    • Location: Switzerland
    • Status: offline
    RE: Allow access to office 365 2013/10/03 05:30:06 (permalink)
    0
    Anyone solved this? We have exactly the same problem and strange thing is, the FQDN doesn' t work.

    For example, we have a policy with ID 1 for HTTPS without SSL Inspection. Everything works so far, as well the Lync authentication. When we enable SSL Inspection on this policy, we can' t authenticate anymore, because of the certificate mismatch.

    So we created a new policy with all the FQDN address for Office365 as destination with the ID 133 and placed this policy on the TOP and without SSL Inspection of course. But you know what, all traffic is still going through the policy 1 and ignores the new policy 133.

    evsecure-aia.verisign.com
    evsecure-crl.verisign.com
    evsecure-ocsp.verisign.com
    login.microsoftonline.com
    lync.com
    microsoftonline-p.com
    microsoftonline-p.net
    microsoftonline.com
    microsoftonlineimages.com
    microsoftonlinesupport.net
    msecnd.net
    msocdn.com
    office.net
    office365.com
    officeapps.live.com
    officecdn.microsoft.com
    online.lync.com
    onmicrosoft.com
    outlook.com
    sharepoint.com
    our-365-online-domain.com


    After all the troubles I had with 5.0.4 after updating from 4.x and the bad experience I had with the Fortinet Support with my 2 last cases, where it took 2 weeks just to get any reaction from them, I almost lost my trust in Fortinet right now The support " engineer" really suggested us to reset the FG and start from scratch. He could see our FG has a strange behaviour, but he can' t reproduce it in their lab. To get this answer took 4 weeks and plenty remote-sessions.

    Does anyone know if we forgot any FQDN needed for Lync authentication? We checked all the Microsoft TID' s and couldn' t find any others than what we have already. But I guess it must be something like that

     
    FG-200E, FG-200D, FG-100E, FG-60E, FWF-60D, FWF-60E, FAZVM64, Fortimail VM
    #7
    Bromont_FTNT
    Platinum Member
    • Total Posts : 569
    • Scores: 43
    • Reward points: 0
    • Joined: 2012/11/19 07:22:36
    • Status: offline
    RE: Allow access to office 365 2013/10/03 06:06:47 (permalink)
    0

    Looks like there some misconceptions regarding FQDN address entries in this thread.

    When creating an FQDN firewall address the Fortigate does a DNS lookup for that domain name and caches that IP. The FGT is not smart enough to do wildcard lookups, in fact in order to achieve this it would need to do a zone transfer which most DNS servers would reject.

    For illustration purposes I' ve created two FQDN addresses... microsoft.com and www.microsoft.com

    We can check what IPs the Fortigate has cached for those domain names using " diag firewall fqdn list" :

    microsoft.com: ID(67) REF(1) ADDR(65.55.58.201) ADDR(64.4.11.37)
    www.microsoft.com: ID(214) REF(1) ADDR(65.55.57.27)

    As you can see they are different. What' s more, for larger domains like microsoft and Outlook.com (and especially google.com) the time you query and dns servers you query will yield different results as these domains host their services on hundreds/thousands of servers. So it is very important that the Fortigate and client machine query the same DNS server

    #8
    Wayne1
    Gold Member
    • Total Posts : 198
    • Scores: 4
    • Reward points: 0
    • Joined: 2004/03/11 08:04:32
    • Location: Switzerland
    • Status: offline
    RE: Allow access to office 365 2013/10/03 06:17:58 (permalink)
    0
    I see, but I guess that for we could change and reduce the cache-ttl for each address to it' s minimum.

    config firewall address
    edit BigWebsite.com
    set cache-ttl 600
    end

    What' s the minimum size of the cache-ttl parameter?

     
    FG-200E, FG-200D, FG-100E, FG-60E, FWF-60D, FWF-60E, FAZVM64, Fortimail VM
    #9
    Socarsky
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/03/28 19:54:31
    • Status: offline
    Re: RE: Allow access to office 365 2020/03/25 21:35:35 (permalink)
    0
    Office365, mail, calender etc. looking good now, 
    accessible after I allowed this item.

    Before Office365 platform went wrong...

    #10
    NeilG
    Silver Member
    • Total Posts : 87
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/03/04 11:00:39
    • Status: offline
    Re: RE: Allow access to office 365 2020/03/26 12:52:02 (permalink)
    0
    You revived a post from 2013?
     
    No, now adays the pattern is to re-categorize the URL's into a custom category of your own choice. I never use the prebuilt custom1 and custom2, I always create useful custom categories.
     
    So its common for me to have a Custom-O365services category with
    companyname.sharepointonline.com
    companyname-my.sharepointonline.com
    login.microsoftonline.com
    login.live.com
    outlook.office365.com
    outlook.office.com
    wns.window.com
    officeclient.microsoft.com
    ...
    etc.
    (I can't keep them all in my head)
     
    https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-security-profiles/Web_Filter/Overriding%20FortiGuard%20website%20categorization.htm
     
    #11
    Micky182
    New Member
    • Total Posts : 16
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/11/11 01:56:37
    • Status: offline
    Re: Allow access to office 365 2020/04/01 06:29:11 (permalink)
    0
    Hi danto, did you enabled the deep inspection on SSL inspetion?
    if yes from webfilter you should exempt URL also for https traffic from Static URL Filter. 
    You need to create a new rule and pass the action "exempt" and then "enable" the rule.
    #12
    Jump to:
    © 2020 APG vNext Commercial Version 5.5