06-27-2021 05:44 PM
I'm trying to exclude MS Teams traffic from GlobalProtect. We are using the entire O365 platform but I only want to exclude MS Teams. Has anyone been able to successfully get this to work? I found some older community posts but most seemed to have inconsistent results. I'm running PAN OS 9.0.x and GP 5.2.6.
Is excluding "%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe" supported and would that be all that is needed?
I tried something similar with Zoom but when zoom was installed into %USERPROFILE%\AppData\Roaming\Zoom, it did not work. I had to install zoom into C:\Program Files (x86)\Zoom to get that to exclude correctly
06-27-2021 11:39 PM
Hello
The MS-Teams application resides in the user direcetory, hence whitelisting based on the executable might not work here. Whitelisting the executable would also grant access to your sharepoint if it is called by MS-Teams.
In addition to the URLs (plus "Split DNS"), we have added a few IP ranges which are used by MS-Teams for real-time data (audio/video). On the O365 URLs and IP addresses page (https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...) they are listed with id 11.
Browsing https://connectivity.office.com/ tells you if the connection took the path you expected.
Best Regards
Joerg
06-27-2021 08:44 PM
We have MS teams excluded from the GP using URLs
There are lot of urls that need to be excluded and it is working fine for us.
Regards
06-27-2021 11:39 PM
Hello
The MS-Teams application resides in the user direcetory, hence whitelisting based on the executable might not work here. Whitelisting the executable would also grant access to your sharepoint if it is called by MS-Teams.
In addition to the URLs (plus "Split DNS"), we have added a few IP ranges which are used by MS-Teams for real-time data (audio/video). On the O365 URLs and IP addresses page (https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...) they are listed with id 11.
Browsing https://connectivity.office.com/ tells you if the connection took the path you expected.
Best Regards
Joerg
06-28-2021 05:51 AM - edited 06-28-2021 05:55 AM
I did find this article previously, but seemed like it was too easy to be all that is needed. Are you saying you were able to get it to work by excluding only these IP ranges and ports, 13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 with ports 3478,3479,3480,3481?
what the other URLS listed under ID 11 but under the same Skype for Business Online and Microsoft Teams section?
@MP18 mind sharing your list of URLS that you excluded?
06-29-2021 01:59 AM
We are using the following IDs concerning URLs: 1,3,8,9,11,12,13,16,17,22,127,154
*.broadcast.skype.com
*.keydelivery.mediaservices.windows.net
*.lync.com
*.msecnd.net
*.outlook.office.com
*.protection.outlook.com
*.skypeforbusiness.com
*.streaming.mediaservices.windows.net
*.teams.microsoft.com
ajax.aspnetcdn.com
aka.ms
amp.azure.net
attachments.office.net
autodiscover.<your company here>.onmicrosoft.com
mlccdn.blob.core.windows.net
outlook.office.com
outlook.office365.com
r1.res.office365.com
r3.res.office365.com
r4.res.office365.com
teams.microsoft.com
06-29-2021 08:16 AM
Thanks for the info. Based on some of the URLs you posted, there are exclusions other than MS Teams in there, which I can't have
So far, I have only excluded these optimized ranges 13.107.64.0/18 ,52.112.0.0/14,52.120.0.0/14. Seems to be working okay for the most part, although I still see a little traffic for IPs within these ranges on the firewall
06-29-2021 10:16 AM
The traffic you are seeing stems from the fact that MS-Teams sends connection probes via all interfaces (GP-Interface and LAN-Interface). It will pick the interface it identifies as "better".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
