Access only to Office 365

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access only to Office 365

Not applicable

Hi,

We have many client computers with no internet access (only intranet and email).

Since we are migrating our email to Office 365, client computers need access to Office 365 (via Outlook and Web browser). Not only mail services, but also licensing, onedrive, ... - the full scope of MS Office 365 services.

How can we achieve that?

Thanks.

8 REPLIES 8

L4 Transporter

Hi..Spopovic,

you can create

Policy objects.

The firewall operates on abstract objects so that an end-point can be an object defined as:

  • A host with a 32 bit subnet mask
  • A network
  • A named object
  • A member of a group
  • A user
  • A service or group of services
  • Applications

Rules can be very general, and very specific. More specific rules precede general rules.

How are applications identified?

There are four technologies involved:

  1. Protocol decoder
  2. Protocol decryption
  3. Application signature
  4. Heuristics

How do I manage so many applications?

The Palo Alto firewall has a Graphical User Interface available through a standard web browser. One of the GUI screens provides the following search-able organizational categories:

  • Category - (like business, networking...)
  • Sub category - (like email, gaming...)
  • Technology - (like browser or peer-to-peer)
  • Characteristic - (like 'evasive' or 'tunnels other applications')
  • Risk level.

The risk level is a finger-in-the air enumeration which loosely categorizes how risky is the application. These risk levels are customizable, but there is little point in trying to do so since a new set of application signatures could upset your particular impression of risk, and trying to single-handedly manage all the risk levels raises some serious administrative overhead.

You can search applications by name, select by groups, manage the content of groups, and create a filter which dynamically generates a group.

Specific applications, statically defined groups, and dynamically generated groups can each be used in the policy.

The huge advantage of this approach is how it reduces the firewall administrator's overhead in maintaining policy. If your corporate security policy says, 'Deny Instant Messaging (IM)', then it's easy to create a dynamic rule called 'Instant messaging' and use that in a single deny rule. If a new IM technology is invented, then it will be included in the next application signature release, and the security policy requires no changes.

or many more please visit : - How to Check if an Application Needs to have Explicitly Allowed Dependency Apps

I also need to know how to allow Office365-related traffic ONLY.

Satish, I do understand how the firewall works, with all the objects and such.

The question is more specific.

I have a Policy for a specific User Group that enables Office365 and related apps.

When enabling Office365, I need to also enable web-browsing.

When web-browsing is enabled, hosts that should only access Office365-related destinations are also able to access other web-sites.

I can use URL Category blocking to deny access to all categories, and for that I would need to create a "whitelist" through Custom URL Category list allowing Office365-related URLs.

That is a bad method - I don't know all the microsoft-related URLs, and can't expect microsoft to not change their service's URLs.

What would be the recommended implementation method ?

Thank you,

Rodolfo

Three choices for you:

  • Use SSL Decryption
  • Create a custom URL category with microsoft/office365 URLs.
  • Ask Microsoft for a list of IP ranges to allow

There is no other solution.

Not applicable

I was really hoping to resolve this at the application filter level, without having to resort to URL filters.

I understand web-browsing has to be enabled in order to allow enough traffic to identify applications (i.e. office365, facebook, etc), however it would be awesome if there was a signature to match ´standard web browsing' - that is, traffic that hasn't been associated to a specific application after X amount of packets in a session (or ssession group).

This way it'd be possible to filter this kind of traffic out, effectively allowing only the specific needed applications.

RFE ? Feasable at all?

it works the way you describe but only but a few application like Facebook. For other you have to go this way unfortunately as of now.

L4 Transporter

We have managed to do this by creating FQDN's for the Microsoft email servers and also a custom URL category.How we have achieved this is with 2 security rules.

First Security Rule: which allows users to the Microsoft email domains (FQDNs) on specific applications

d1.PNG

Second Security Rule: allows users to a specific custom url group (blacked out is the custom URL group we used for our customer) .

d2.PNG

You should observe traffic of users who generate only this traffic to fully understand if you are missing a service, port, server (FQDN), and or URL. (This took one of co-workers a good amount of time to wrap a fence around it)

This is a very clean way to create the policy.  We didn't use the FQDN objects because of some internal issues.  We ended up allowing all of the MS subnets listed here:  Office 365 URLs and IP address ranges.  The issue is that this list does change.  We experienced an issue with it recently.  Due to our size we also needed to use a source NAT pool to ensure MS didn't exceed TCP port limitations.

Question.  How did you confirm the entire list of FQDN entries required for your rule?

@r37775 Lets just say I have a very dedicated co-worker who put a good amount of time in to review the traffic logs. Knock on wood we have not had any calls indicating a user can not get to their mail.But in the event we did miss one or a new one is added by MS it should be a quick fix.

  • 7403 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!