topic Re: Office 365 Powershell Decryption Error in General Topics

Office 365 Powershell Decryption Error

CastawayKid — Fri, 23 Mar 2018 20:17:42 GMT

I'm testing decryption on our PA-3020 and have found my Office 365 Powershell licensing script is failing to connect with the following error message:

New-PSSession : [ps.outlook.com] Connecting to remote server ps.outlook.com failed with the following error message :
WS-Management cannot process the request. The operation failed because of an HTTP error. The HTTP error (12175) is: A
security error occurred . For more information, see the about_Remote_Troubleshooting Help topic.

I've tried adding an FQDN based Address object for "ps.outlook.com" and assigning it to a No Decrypt rule, but that has not helped.

In the Monitor -> Traffic tab, I see what I think is the corresponding log entry, stating that application soap on port 443 had a session end reason of decrypt-error. The destination address is a Microsoft address, but does not have a DNS reverse lookup entry.

Re: Office 365 Powershell Decryption Error

BPry — Fri, 23 Mar 2018 21:04:30 GMT

@CastawayKid,

First and foremost the best way to do this is with a custom URL Cateogry; then add the associated URLs into that new entry. Like this.

              <entry name="No-Decrypt">
                <list>
                  <member>ps.outlook.com</member>
                </list>

Then you'll need to create another decryption policy that is setup with an action of no-decrypt, placed higher in your decryption policies than your existing policy.

So essentially it would look like this.

                <entry name="No-Decrypt - LTSB">
                  <category>
                    <member>No-Decrypt</member>
                  </category>
                  <service>
                    <member>any</member>
                  </service>
                  <type>
                    <ssl-forward-proxy/>
                  </type>
                  <from>
                    <member>inside</member>
                  </from>
                  <to>
                    <member>outside</member>
                  </to>
                  <source>
                    <member>yourip</member>
                  </source>
                  <destination>
                    <member>any</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <action>no-decrypt</action>
                </entry>

And that should do it. It will now looks specifically for the ps.outlook.com entry, and this will bypass decryption.

Re: Office 365 Powershell Decryption Error

Mick_Ball — Mon, 26 Mar 2018 09:50:00 GMT

@BPry, Hi...

are you saying that placing this in a url category will act differently than adding it dirctly as an address object or did you miss this part by @CastawayKid.,,,

I've tried adding an FQDN based Address object for "ps.outlook.com"

Re: Office 365 Powershell Decryption Error

BPry — Mon, 26 Mar 2018 12:49:26 GMT

@Mick_Ball,

If you add an FQDN based object it will resolve to a set of IP addresses; however when your working with Microsoft there are so many addresses that FQDN doesn't always work for all of them. It's better in these instances to simply utilize a URL Category.

Re: Office 365 Powershell Decryption Error

Mick_Ball — Mon, 26 Mar 2018 13:04:44 GMT

@BPry, nice one, many thanks for the info...

is this documented anywhere or just something you've learned along the way....?

Re: Office 365 Powershell Decryption Error

BPry — Mon, 26 Mar 2018 13:11:42 GMT

@Mick_Ball,

Something that I've picked up along the way. I think that the article below that @reaper wrote a while back puts a lot of the limits of FQDN objects in place however. The biggest thing with FQDN is that it limits the IPs to the first 10 addresses that it receives in the DHCP request; when working with larger FQDN objects (like anything Microsoft or AWS) then you're generally working with a lot more addresses than that.

LINK

Re: Office 365 Powershell Decryption Error

Mick_Ball — Mon, 26 Mar 2018 13:22:44 GMT

@BPry, superb, thanks again...

Just one last question,........ if any , what would be a preference between URL category and DAG?

Re: Office 365 Powershell Decryption Error

Mick_Ball — Mon, 26 Mar 2018 13:43:54 GMT

OK put that on hold for now...

I really need to understang DAG's first so will keep reading.

Re: Office 365 Powershell Decryption Error

BPry — Mon, 26 Mar 2018 13:48:23 GMT

@Mick_Ball,

Almost any time I'm working with external objects I'll utilize a URL Category over DAG. I utilize DAG a lot for things like printer groups, remote offices, and stuff like that so I don't have to sit and update all of the necessary security policies.