topic Re: Access only to Office 365 in General Topics

Access only to Office 365

spopovic — Thu, 05 Jun 2014 10:57:05 GMT

Hi,

We have many client computers with no internet access (only intranet and email).

Since we are migrating our email to Office 365, client computers need access to Office 365 (via Outlook and Web browser). Not only mail services, but also licensing, onedrive, ... - the full scope of MS Office 365 services.

How can we achieve that?

Thanks.

Re: Access only to Office 365

Satish — Fri, 06 Jun 2014 04:10:38 GMT

Hi..Spopovic,

you can create

Policy objects.

The firewall operates on abstract objects so that an end-point can be an object defined as:

A host with a 32 bit subnet mask
A network
A named object
A member of a group
A user
A service or group of services
Applications

Rules can be very general, and very specific. More specific rules precede general rules.

How are applications identified?

There are four technologies involved:

Protocol decoder
Protocol decryption
Application signature
Heuristics

How do I manage so many applications?

The Palo Alto firewall has a Graphical User Interface available through a standard web browser. One of the GUI screens provides the following search-able organizational categories:

Category - (like business, networking...)
Sub category - (like email, gaming...)
Technology - (like browser or peer-to-peer)
Characteristic - (like 'evasive' or 'tunnels other applications')
Risk level.

The risk level is a finger-in-the air enumeration which loosely categorizes how risky is the application. These risk levels are customizable, but there is little point in trying to do so since a new set of application signatures could upset your particular impression of risk, and trying to single-handedly manage all the risk levels raises some serious administrative overhead.

You can search applications by name, select by groups, manage the content of groups, and create a filter which dynamically generates a group.

Specific applications, statically defined groups, and dynamically generated groups can each be used in the policy.

The huge advantage of this approach is how it reduces the firewall administrator's overhead in maintaining policy. If your corporate security policy says, 'Deny Instant Messaging (IM)', then it's easy to create a dynamic rule called 'Instant messaging' and use that in a single deny rule. If a new IM technology is invented, then it will be included in the next application signature release, and the security policy requires no changes.

or many more please visit : - How to Check if an Application Needs to have Explicitly Allowed Dependency Apps

Re: Access only to Office 365

Rodolfo_Cipher — Fri, 14 Nov 2014 21:08:39 GMT

I also need to know how to allow Office365-related traffic ONLY.

Satish, I do understand how the firewall works, with all the objects and such.

The question is more specific.

I have a Policy for a specific User Group that enables Office365 and related apps.

When enabling Office365, I need to also enable web-browsing.

When web-browsing is enabled, hosts that should only access Office365-related destinations are also able to access other web-sites.

I can use URL Category blocking to deny access to all categories, and for that I would need to create a "whitelist" through Custom URL Category list allowing Office365-related URLs.

That is a bad method - I don't know all the microsoft-related URLs, and can't expect microsoft to not change their service's URLs.

What would be the recommended implementation method ?

Thank you,

Rodolfo

Re: Access only to Office 365

cpainchaud — Sat, 15 Nov 2014 19:24:25 GMT

Three choices for you:

Use SSL Decryption
Create a custom URL category with microsoft/office365 URLs.
Ask Microsoft for a list of IP ranges to allow

There is no other solution.

Re: Access only to Office 365

Rodolfo_Cipher — Sun, 16 Nov 2014 08:13:09 GMT

I was really hoping to resolve this at the application filter level, without having to resort to URL filters.

I understand web-browsing has to be enabled in order to allow enough traffic to identify applications (i.e. office365, facebook, etc), however it would be awesome if there was a signature to match ´standard web browsing' - that is, traffic that hasn't been associated to a specific application after X amount of packets in a session (or ssession group).

This way it'd be possible to filter this kind of traffic out, effectively allowing only the specific needed applications.

RFE ? Feasable at all?

Re: Access only to Office 365

cpainchaud — Sun, 16 Nov 2014 09:21:51 GMT

it works the way you describe but only but a few application like Facebook. For other you have to go this way unfortunately as of now.

Re: Access only to Office 365

lewis — Mon, 17 Nov 2014 14:38:34 GMT

We have managed to do this by creating FQDN's for the Microsoft email servers and also a custom URL category.How we have achieved this is with 2 security rules.

First Security Rule: which allows users to the Microsoft email domains (FQDNs) on specific applications

Second Security Rule: allows users to a specific custom url group (blacked out is the custom URL group we used for our customer) .

You should observe traffic of users who generate only this traffic to fully understand if you are missing a service, port, server (FQDN), and or URL. (This took one of co-workers a good amount of time to wrap a fence around it)

Re: Access only to Office 365

r37775 — Mon, 01 Dec 2014 22:26:01 GMT

This is a very clean way to create the policy. We didn't use the FQDN objects because of some internal issues. We ended up allowing all of the MS subnets listed here: Office 365 URLs and IP address ranges. The issue is that this list does change. We experienced an issue with it recently. Due to our size we also needed to use a source NAT pool to ensure MS didn't exceed TCP port limitations.

Question. How did you confirm the entire list of FQDN entries required for your rule?

Re: Access only to Office 365

lewis — Tue, 02 Dec 2014 11:46:47 GMT

@r37775 Lets just say I have a very dedicated co-worker who put a good amount of time in to review the traffic logs. Knock on wood we have not had any calls indicating a user can not get to their mail.But in the event we did miss one or a new one is added by MS it should be a quick fix.