This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Allow Office 365 not getting desired results...

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allow Office 365 not getting desired results...

LCMember172
L0 Member

‎09-09-2015 05:34 AM

Hei,

We recently moved over to a full O365 solution and I am trying to customise the ruleset to Allow for O365 traffic when all other traffic is blocked.

 

Unfortunately I have hit a wall and cannot seem to get the application to be allowed. I am hoping one of you can point out what I have done wrong and how to correct it.

 

I have used Addresses (with FQDN) and Address Groups where I have defined all the sites that MS states are required. List is here: Office 365 URLs and IPs [Ideally I'd avoid using IPs as these are subject to change. 😉 ]

I then changed the top level policy to allow for the Address Group.

In testing, the client pc is able to start Office and receives the login screen but no login is able to complete. In the Monitor of PAN it details Destination as an IP and Application as "not-applicable"

 

I have also tried using the predefined Application setting (ms-office365), but then on the client pc it does not even resolve to the login screen, just displaying a bland "Unable to connect" pop-up.

 

Thanks in advance for any advice!

 

 

Details:

 

 

0 Likes Likes
11 REPLIES 11

Brandon_Wertz
L6 Presenter
In response to cpainchaud

‎09-09-2015 11:21 AM

That's what we did...Just dumped the URLs into a custom URL Category.

0 Likes Likes

ABAdmin
L1 Bithead
In response to Brandon_Wertz

‎09-10-2015 05:36 AM

Still not getting the desired results. 😞

 

I've tried the following (and a combination of the following):

 

1) Taken all the URLs and placed them in a new URL category in Objects. Placed this into the main Policy that allows for traffic irrespective of when we have to close access to the internet. Result = access still blocked

 

2) Taken all the individual IPs (599 of them) and placed them into a URL category in Objects. And updated this to the main rule. Result = no access

 

3) In a pique of curiosity - I created the rule to allow for all traffic to "www.*.com" and "*.com". And that didnt work either.

 

4) I have opened up all traffic, took a copy of the destinations that were used, created a rule for them and tried that once the blocks were in place...nope.

 

5) I have gone through the Application filters and updated the main policy to allow for ms-office365 and all other derivaties I could find...but that didnt work either.

 

So - any other tips? I am not a network specialist (clients & scripting are my main) but I cannot understand why it is not working or what is actually been blocked. Unfortunatley too much information is been hidden within the "not-application" description in the Monitor. I can see that the IPs are within the correct subnet range and ports are correct (80 and 443) for Office365 traffic. But why are the applications getting hidden by "not-applicable"?

 

 

 

 

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to ABAdmin

‎09-10-2015 12:44 PM

@ABAdmin From TAC, I've been told to not use IP addresses in custom URL categories.  Only use them in address groups.

 

 

0 Likes Likes

ABAdmin
L1 Bithead
In response to Brandon_Wertz

‎09-10-2015 11:04 PM

Ok will give that a try, thanks for the tip.

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to ABAdmin

‎09-11-2015 05:58 AM

Also, last night I was looking through our applications as my company use O365 too.  I'm not sure what part of the service you're using but we allow:

 

ms-office365-base

outlook-web-online
sharepoint-base
sharepoint-online
sharepoint-documents
office-on-demand
skydrive-base
live-mesh-base
SSL
web-browsing

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks