Desktop Office apps unable to see Microsoft O365 people or resources

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Desktop Office apps unable to see Microsoft O365 people or resources

L1 Bithead

Hi,

Have two separate issues, but think they are connected by lack of firewall rule somewhere, cannot locate what I am missing thou..

Issue1:

When I try to use SHARE button inside desktop version of Word/Excel/PPoint to share document, cannot see anyone in drop down, cannot search for any users and in general it's not populating. I don't have that problem when trying to share document that is saved in any online location - all employees showing in 'share with' window.

Issue 2: 

I cannot connect to any of my PowerBI datasets located online from any desktop Excel. That is true for any user, on any computer, on any VLAN I have. When I select Get Data/from PowerBI, only thing that I can see is grey column with spinning wheel.

 

When users attempt to connect to same datasets from non-corporate devices, they can just fine.

 

We have converged Palo environment: GlobalProtect, VPN portals, Cortex, on-prem Palo firewalls. 

I am very new to Palo firewalls, just been on PAN-210 training course few days ago, so understand building blocks of security rules, but this is 'art' part of knowledge and I am not there yet.

Anyone had similar issue and can lead me to a app, service, combination of both that is responsible for communication with MS online resources from within Office apps?

Our Outlook and SharePoint online portals works perfectly fine, can get mails and access Intranet website without issue.

 

Regards

Robert

Regards
Robert Tryba
8 REPLIES 8

Cyber Elite
Cyber Elite

@RobertTryba,

Do you decrypt outbound traffic on your network? Have you enabled logging on the interzone-default security entry so that uncaught denied traffic is actually being recorded in the traffic logs? 

L1 Bithead

Similar issue that started today. My Office 365 would not complete MFA and it was because my firewall thought the dest IP was in China and was blocking the traffic. I have tried rolling back Applications and threats but that hasn't changed anything. I ended up disabling the geo rule until it gets patched. 

We are currently tracking an issue with this. Content update 8559 is causing outages, as geo-ip data is showing incorrect mappings. TAC is currently working on an advisory to customers, but, there are microsoft services and opendns resolvers in the problematic subnets: 

13.107.202.0-13.107.255.255
52.127.91.0-52.127.93.255
146.75.32.0-146.75.47.255
168.63.129.16 - 168.63.129.31
142.250.176.0 - 142.250.183.255
208.67.220.0 - 208.67.220.255

Please follow these instructions to revert below 8559 and see if that fixes your issue. 

Help the community! Add tags and mark solutions please.

L1 Bithead

Hi,

Still getting my head around Panorama's 'pre' and 'post' rules, 

We do have decrypt rule on outgoing traffic and we do have catch rule with logging enabled. 

Any specific events I should look for ?

 

Edit:

Just found we also have 'don't decrypt O365 traffic rule' in other part of Panorama, so back to beginnings. Any key terms I should look for in logs..?

Regards
Robert Tryba

What OS are you running? 10.0+ gives a decryption failure pane in the ACC tab. 

Help the community! Add tags and mark solutions please.

@RobertTryba,

I'd try working with a test machine exhibiting the behavior and look for denied traffic in your traffic logs, along with any M365 traffic accidently bypassing your decryption exception (you don't say here how you have that configured). 

You can also quickly verify if this is a issue on the firewall by taking a single test host and creating a temporary any/any allow rule for it to external resources and excluding it completely from decryption. If things work as expected, you can start working backwards from there (IE: Try it again with it hitting your normal security rulebase entries, if it works than it's a security rulebase issue and if it doesn't then focus on decryption). 


@BPry wrote:

@RobertTryba,

I'd try working with a test machine ...

...You can also quickly verify if this is a issue on the firewall by taking a single test host and creating a temporary any/any allow rule for it to external resources and excluding it completely from decryption....

 Yes, this will be my next task for my desk, getting a permanent test host.

 

We run 9.0.14 ATM. 

Regards
Robert Tryba

Hi,

It will be slow progress from now on, I have loads of other jobs to complete before doing tests on this, but thanks for all help, once I have progress, will let you all know.

regards

Regards
Robert Tryba
  • 4058 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!