O365 Connection Connection through Firebox

Hello
I need to allow connections from my on perm outlook device to pass firebox and communicate with O365 . I've been searching and I see some people are configrung SMTP-Proxy on firebox , is this something I have to do or its an optional feature which let's firebox be an proxy ?

Moreover in regard to allowing traffic O365 has listed a huge list of URls/Protocols that needs to be allowed on Firewall , what is the best practice to allow the connection to pass though Firebox?

Thank you

Comments

  • Is your goal to access outlook.office365.com from you Outlook client?
    If so, your Outlook client should be set up to use HTTPS for this access, and should work without needing to use a SMTP proxy firewall policy etc.

  • If you are NOT using HTTPS Content Inspection, Office 365 should work without modifications to the firewall. If you ARE doing HTTPS Content Inspection, make sure you have the firewall's self-signed "Fireware HTTPS Proxy" certificate installed (manually or pushed via GPO) into the local cert store of your computer (works for IE, Edge, and Chrome; you must set Firefox manually or via Firefox GPO to use the local cert store). Then make sure that you enable the default predefined content exceptions in your HTTPS content inspection policy. That usually lets Outlook work normally. You also can take those lists from Microsoft and build packet filters to those IPs and FQDNs or domains in aliases.

    Gregg Hill

  • edited July 10

    @Greggmh123 said:
    If you are NOT using HTTPS Content Inspection, Office 365 should work without modifications to the firewall. If you ARE doing HTTPS Content Inspection, make sure you have the firewall's self-signed "Fireware HTTPS Proxy" certificate installed (manually or pushed via GPO) into the local cert store of your computer (works for IE, Edge, and Chrome; you must set Firefox manually or via Firefox GPO to use the local cert store). Then make sure that you enable the default predefined content exceptions in your HTTPS content inspection policy. That usually lets Outlook work normally. You also can take those lists from Microsoft and build packet filters to those IPs and FQDNs or domains in aliases.

    Thanks a lot for you reply, HTTPs Inspection is enabled , Would it work if I create a HTTPS-Proxy role and bypass the inspection for those protocols and IPs?

    For Packet filter do I need to select enable Application Control and/or Enable IPs?

  • On your HTTPS proxy action, if "Enable Predefined Content Inspection" is selected, that is all that I expect that you need for this to work.

  • edited July 10

    @Bruce_Briggs said:
    On your HTTPS proxy action, if "Enable Predefined Content Inspection" is selected, that is all that I expect that you need for this to work.

    On Proxy Action I can choose between some options but default option is HTTPS-Client.Standard

  • If you select/open HTTPS-Client.Standard, you will see that Enable Predefined Content Inspection" is selected, which is the default.

  • @Bruce_Briggs said:
    If you select/open HTTPS-Client.Standard, you will see that Enable Predefined Content Inspection" is selected, which is the default.

    Thanks a lot , Yes I see that now , but my question is do I need to add those O365 FQDNS in Domain Names section of this policy and choose Allow as action in order to bypass https inspection for them ?

  • I believe that your Outlook access will work without doing so.
    Try it.

  • @Bruce_Briggs said:
    I believe that your Outlook access will work without doing so.
    Try it.

    Thanks a lot for you help

Sign In to comment.