topic Re: ggranular sharepoint filtering in General Topics

ggranular sharepoint filtering

SThatipelly — Tue, 13 Feb 2018 03:10:55 GMT

I am trying to implement granular url filtering within sharepoint site but firewall is considering it as a generic. Eg: https://xyz.sharepoint.com/pages/department/* is the url I want to allow and block rest of sharepoint. Whenever I try this link,Firewall is taking it as https://xyz.sharepoint.com/ I did test by enabling ssl decryption but of no use.

I was also wondering if sharepoint links are different from weblinks? Eg:libraries or so. please help.

Re: ggranular sharepoint filtering

Remo — Wed, 14 Feb 2018 19:50:40 GMT

TLS decryption is definately needed when you want to do this.

What does your security policy look like when your saying that you only see xyz.sharepoint.com? I assume that you have an URL profile applied to your securitypolicy where you have enabled the setting "Log container page only". Try to disable that and then check again your URL Logs (attention this could generate a lot more logs, so you might want to create a new rule for your IP only where you apply an URL profile with that setting disabled.

But what you actually need is probably some more rules with custom URL profiles. Like the following:

Allow rule with a custom URL category where you allow xyz.sharepoint.com/document
Deny rule with another custom URL category xyz.sharepoint.com
Probably your default web browsing policy

In the first rule there are may be some other entries required for xyz.sharepoint.com to function properly and keep in mind that you want to configure these custom URL categories directly in your securityrule and not in an URL profile that you attach to that rule.

Hope this helps. If not, feel free to ask again 😉

Re: ggranular sharepoint filtering

SThatipelly — Thu, 15 Feb 2018 14:41:10 GMT

Yes. Thank you for the susggestion. I had those rules enabled but the problem is there are infinite number of microsoft destinations that a machine reaches out to before authenticating to sharepoint.

As we have explixcit deny all rule at the end, I am running into this problem. You would think identifying microsoft IPs and allow them before deny all rule would fix this?

Re: ggranular sharepoint filtering

OtakarKlier — Thu, 15 Feb 2018 15:16:38 GMT

Hello,

While whitelisting the IP's would, they are dynamic and change. Probably would be better to use DNS names. Another thing could be to use application filtering so only 'sharepoint' apps can get to those sites?

Just a few thoughts.

Re: ggranular sharepoint filtering

SThatipelly — Thu, 16 Aug 2018 20:14:41 GMT

I tried doing this filtering earlier today. Sharepoint redirects the users through many urls that it has become impossible to create a good url filtering policy. Please help if you have done anything like this before.

Thanks.

Re: ggranular sharepoint filtering

Remo — Sun, 19 Aug 2018 08:06:17 GMT

External urls where users have to chlick on a link to get there or redirects initiated by the sharepoint website?

Re: ggranular sharepoint filtering

SThatipelly — Mon, 20 Aug 2018 15:17:51 GMT

@Remo no. Redirects from a link on a document to company's sharepoint site.

Re: ggranular sharepoint filtering

Remo — Tue, 21 Aug 2018 23:37:30 GMT

@SThatipelly

If you really want to restrict the access to this sharepoint website, then you probably don't have an alternative other than manually build the filterlist that you allow. Maybe it is possible to use wildcards or do something with regex (with a custom App-ID).

If there is now way because the urls are in no way configurable when there are too much, then an alternative would be a blacklist category where you configure alle the urls that the users should not be able to reach on that sharepoint website.