Excluding MS Teams from GlobalProtect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Excluding MS Teams from GlobalProtect

L3 Networker

I'm trying to exclude MS Teams traffic from GlobalProtect.  We are using the entire O365 platform but I only want to exclude MS Teams.  Has anyone been able to successfully get this to work?  I found some older community posts but most seemed to have inconsistent results.   I'm running PAN OS 9.0.x and GP 5.2.6.

 

Is excluding  "%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe"  supported and would that be all that is needed? 

 

I tried something similar with Zoom but when zoom was installed into %USERPROFILE%\AppData\Roaming\Zoom, it did not work.  I had to install zoom into C:\Program Files (x86)\Zoom to get that to exclude correctly

1 accepted solution

Accepted Solutions

Hello

 

The MS-Teams application resides in the user direcetory, hence whitelisting based on the executable might not work here. Whitelisting the executable would also grant access to your sharepoint if it is called by MS-Teams.

 

In addition to the URLs (plus "Split DNS"), we have added a few IP ranges which are used by MS-Teams for real-time data (audio/video). On the O365 URLs and IP addresses page (https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...) they are listed with id 11.

 

Browsing https://connectivity.office.com/ tells you if the connection took the path you expected.

 

Best Regards

  Joerg

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@securehops 

 

We have MS teams excluded from the GP using URLs

There are lot of urls that need to be excluded and it is working fine for us.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Hello

 

The MS-Teams application resides in the user direcetory, hence whitelisting based on the executable might not work here. Whitelisting the executable would also grant access to your sharepoint if it is called by MS-Teams.

 

In addition to the URLs (plus "Split DNS"), we have added a few IP ranges which are used by MS-Teams for real-time data (audio/video). On the O365 URLs and IP addresses page (https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-world...) they are listed with id 11.

 

Browsing https://connectivity.office.com/ tells you if the connection took the path you expected.

 

Best Regards

  Joerg

@JoergSchuetter 

 

I did find this article previously, but seemed like it was too easy to be all that is needed.  Are you saying you were able to get it to work by excluding only these IP ranges and ports,  13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14 with ports 3478,3479,3480,3481?

 

what the other URLS listed under ID 11 but under the same Skype for Business Online and Microsoft Teams section?

 

@MP18 mind sharing your list of URLS that you excluded?

We are using the following IDs concerning URLs: 1,3,8,9,11,12,13,16,17,22,127,154

*.broadcast.skype.com
*.keydelivery.mediaservices.windows.net
*.lync.com
*.msecnd.net
*.outlook.office.com
*.protection.outlook.com
*.skypeforbusiness.com
*.streaming.mediaservices.windows.net
*.teams.microsoft.com
ajax.aspnetcdn.com
aka.ms
amp.azure.net
attachments.office.net
autodiscover.<your company here>.onmicrosoft.com
mlccdn.blob.core.windows.net
outlook.office.com
outlook.office365.com
r1.res.office365.com
r3.res.office365.com
r4.res.office365.com
teams.microsoft.com

Thanks for the info.  Based on some of the URLs you posted, there are exclusions other than MS Teams in there, which I can't have

 

So far, I have only excluded these optimized ranges 13.107.64.0/18 ,52.112.0.0/14,52.120.0.0/14.   Seems to be working okay for the most part, although I still see a little traffic for IPs within these ranges on the firewall

The traffic you are seeing stems from the fact that MS-Teams sends connection probes via all interfaces (GP-Interface and LAN-Interface). It will pick the interface it identifies as "better".

Good point!

  • 1 accepted solution
  • 8326 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!