This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Allow Office 365 not getting desired results...

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Allow Office 365 not getting desired results...

LCMember172
L0 Member

‎09-09-2015 05:34 AM

Hei,

We recently moved over to a full O365 solution and I am trying to customise the ruleset to Allow for O365 traffic when all other traffic is blocked.

 

Unfortunately I have hit a wall and cannot seem to get the application to be allowed. I am hoping one of you can point out what I have done wrong and how to correct it.

 

I have used Addresses (with FQDN) and Address Groups where I have defined all the sites that MS states are required. List is here: Office 365 URLs and IPs [Ideally I'd avoid using IPs as these are subject to change. 😉 ]

I then changed the top level policy to allow for the Address Group.

In testing, the client pc is able to start Office and receives the login screen but no login is able to complete. In the Monitor of PAN it details Destination as an IP and Application as "not-applicable"

 

I have also tried using the predefined Application setting (ms-office365), but then on the client pc it does not even resolve to the login screen, just displaying a bland "Unable to connect" pop-up.

 

Thanks in advance for any advice!

 

 

Details:

 

 

0 Likes Likes
11 REPLIES 11

ethiSEC
L2 Linker
In response to Brandon_Wertz

‎09-11-2015 06:25 AM

A custom URL category added to a URL filtering profile on the rule with the required office 365 app-ids may work but it may also be a bit hit and miss.

 

URL categories are very handy when you want to more accurately match traffic against a specific rule. The good thing about URL categories is these are used as an additional match criteria for the rule. For example if you want to all allow traffic on an office 365 with an SSL and web-browsing dependancy app-ids coming from a trusted zone going to the untrusted zone and a URL category is applied with the appropriate URL matches, all three components will need to match before the traffic will be allowed by this rule.

 

In my experience they have proven more reliable way of ensuring the right traffic hits the right rule.

 

Jason

 

 

0 Likes Likes

ABAdmin
L1 Bithead
In response to Brandon_Wertz

‎09-18-2015 12:22 AM - edited ‎09-18-2015 12:32 AM

@Brandon_Wertz: We added those previously and nothing - traffic was still blocked for some or other reason

 

In the end we resolved this by adding every IPv4 address MS has listed to Addresses with an appropriate Tag.

 

In Address Groups we created a Dynamic Group based on the aforementioned Tag.

 

In Policies we allowed for the Address Group. And now our clients are able to authenticate the Office 365 license. The authentication process is ridiculousloy slow though. With all traffic enabled, license authentication takes a second or two. With the internet restricted and this rule in place...it takes 2 - 3 minutes to authenticate. Very strange this, not to sure where the optimisation must be done.

 

As we only need to get a license, we only added all IPs relating to Portal and ID.

 

(Ps: But...to cover our bases - I have also added the IPv6 to Addresses, URLs to URL Category and created an Application Group based on the needed O365 applications in the PAN-2020. Nothing wrong with a little overkill 😉

 

Cheers and thanks for the help

Anthony

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks