topic Re: Excluding MS Teams from GlobalProtect in GlobalProtect Discussions

Excluding MS Teams from GlobalProtect

securehops — Mon, 28 Jun 2021 00:44:59 GMT

I'm trying to exclude MS Teams traffic from GlobalProtect. We are using the entire O365 platform but I only want to exclude MS Teams. Has anyone been able to successfully get this to work? I found some older community posts but most seemed to have inconsistent results. I'm running PAN OS 9.0.x and GP 5.2.6.

Is excluding "%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe" supported and would that be all that is needed?

I tried something similar with Zoom but when zoom was installed into %USERPROFILE%\AppData\Roaming\Zoom, it did not work. I had to install zoom into C:\Program Files (x86)\Zoom to get that to exclude correctly

Re: Excluding MS Teams from GlobalProtect

MP18 — Mon, 28 Jun 2021 03:44:03 GMT

@securehops

We have MS teams excluded from the GP using URLs

There are lot of urls that need to be excluded and it is working fine for us.

Regards

Re: Excluding MS Teams from GlobalProtect

JoergSchuetter — Mon, 28 Jun 2021 06:39:28 GMT

Hello

The MS-Teams application resides in the user direcetory, hence whitelisting based on the executable might not work here. Whitelisting the executable would also grant access to your sharepoint if it is called by MS-Teams.

In addition to the URLs (plus "Split DNS"), we have added a few IP ranges which are used by MS-Teams for real-time data (audio/video). On the O365 URLs and IP addresses page (https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) they are listed with id 11.

Browsing https://connectivity.office.com/ tells you if the connection took the path you expected.

Best Regards

Joerg

Re: Excluding MS Teams from GlobalProtect

securehops — Mon, 28 Jun 2021 12:55:28 GMT

@JoergSchuetter

I did find this article previously, but seemed like it was too easy to be all that is needed. Are you saying you were able to get it to work by excluding only these IP ranges and ports, 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 with ports 3478,3479,3480,3481?

what the other URLS listed under ID 11 but under the same Skype for Business Online and Microsoft Teams section?

@MP18 mind sharing your list of URLS that you excluded?

Re: Excluding MS Teams from GlobalProtect

JoergSchuetter — Tue, 29 Jun 2021 08:59:50 GMT

We are using the following IDs concerning URLs: 1,3,8,9,11,12,13,16,17,22,127,154

*.broadcast.skype.com
*.keydelivery.mediaservices.windows.net
*.lync.com
*.msecnd.net
*.outlook.office.com
*.protection.outlook.com
*.skypeforbusiness.com
*.streaming.mediaservices.windows.net
*.teams.microsoft.com
ajax.aspnetcdn.com
aka.ms
amp.azure.net
attachments.office.net
autodiscover.<your company here>.onmicrosoft.com
mlccdn.blob.core.windows.net
outlook.office.com
outlook.office365.com
r1.res.office365.com
r3.res.office365.com
r4.res.office365.com
teams.microsoft.com

Re: Excluding MS Teams from GlobalProtect

securehops — Tue, 29 Jun 2021 15:16:37 GMT

Thanks for the info. Based on some of the URLs you posted, there are exclusions other than MS Teams in there, which I can't have

So far, I have only excluded these optimized ranges 13.107.64.0/18 ,52.112.0.0/14,52.120.0.0/14. Seems to be working okay for the most part, although I still see a little traffic for IPs within these ranges on the firewall

Re: Excluding MS Teams from GlobalProtect

JoergSchuetter — Tue, 29 Jun 2021 17:16:35 GMT

The traffic you are seeing stems from the fact that MS-Teams sends connection probes via all interfaces (GP-Interface and LAN-Interface). It will pick the interface it identifies as "better".

Re: Excluding MS Teams from GlobalProtect

securehops — Tue, 29 Jun 2021 17:34:47 GMT

Good point!