Office 365 in Whitelisted environment

StajStaj
in Firebox - Subscription Services

What is WatchGuard Best Practice for allowing Office 365 services in whitelisted environments?

Although https://docs.microsoft.com/en-gb/office365/enterprise/office-365-ip-web-service has a list of FQDNs and IPs, Microsoft has https://docs.microsoft.com/en-gb/office365/enterprise/office-365-ip-web-service for keeping them up to date.

I really don't want to have to manually keep a list up to date or have to code something up that pulls down data from that service and updates our WatchGuard units via SSH or something.

M500 and M370 (12.4.1)

Comments

  • mpayzempayze

    Hi Staj, have you run the exchange connectivity tests from this page ?
    https://testconnectivity.microsoft.com/
    Microsoft Office Outlook Connectivity Tests -> Outlook Connectivity
    I would be interested in the 'best practices', if any. I am about to migrate on-prem exchange to o365 and currently having an error on this test site regarding pinging the MAPI endpoint (and in other areas actually). I'm not overly concerned as I can add account on mobiles from external however would like to avoid any potential issues down the track.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Staj

    Depending on how you're intending to make exceptions, we can already do this.

    In your HTTPS proxy action, there is a list of predefined exceptions that can be made. Office 365 and other services are available on this list. Excepting it from content inspection will generally get around any webblocker type blocks that were done with inspection on.

    (HTTPS-Proxy: Content Inspection)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/https/https_proxy_contentinspection_c.html

    If you've whitelisted by policy IPs/FQDNs, this will have to be done manually

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • MikeKellnerMikeKellner

    Hello, its a german site but it exists a alias generator for watchguard 365 exceptions

    https://www.boc.de/watchguard-info-portal/allgemeines/microsoft-endpoints/

  • MikeKellnerMikeKellner

    Microsoft offers an API for this. Actually, Watchguard should absolutely implement this. Manual maintenance is out of date.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @MikeKellner
    Automatic content inspection exceptions are already in place -- please see the link that I posted above, which goes over how to enable this.

    -James Carson
    WatchGuard Customer Support

  • MikeKellnerMikeKellner
    edited June 2020

    Hello @James_Carson , using a pre-made exception from Watchguard is not what customers want. The update will only come with the next upgrade :-). Especially since it is not an automatism and the content exception only refers to 443. All other ports are neglected by your suggestion. Check out the list provided by Microsoft.

    https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
    There is much more to configure.

    Microsoft provides an API. So shouldn't be a problem for programmers and help users.

  • RalphRalph WatchGuard Representative

    Hello Mike,

    We'll get this logged as an enhancement to simplify integration of MS policies/exceptions.

    Ralph

  • cjstark00cjstark00

    Agreed this is a little Archaic. Honestly the link you provided is worthless to me when trying to figure out what I need to do to actually get this to work without spending a ton of time in reference to this doc/api instructions:

    https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

    https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

    Can you kindly give me specifics in how this would work?

  • StajStaj

    @Ralph What's happening with this? We either need to code up a solution ourselves or decide whether or not we continue with WatchGuard, what is the current status of this improvement?

  • StajStaj

    I've written a PowerShell script that downloads the Microsoft 365 Endpoint Sets and creates Aliases for each and aliases for each Service Area + Port(s) Combo in a WatchGuard Profile Configuration XML. Tried to make it so it can update them in-place in an XML later. Is this useful to anyone?

  • MikeKellnerMikeKellner

    @Staj Hello Staj, I would be interested in the script. Greetings Mike

  • greggmh123greggmh123

    @Staj, that PS script sounds interesting to me!

    Gregg Hill

  • StajStaj

    @MikeKellner @Greggmh123 @Ralph @cjstark00 @James_Carson
    https://github.com/Staja/Update-M365EndpointsInWGXML

    Proof of concept only.

  • StajStaj

    @Ralph What is the status of that feature on a/the roadmap? I don't really want to maintain https://github.com/Staja/Update-M365EndpointsInWGXML forever

  • quedogforlifequedogforlife
    I realize this is a couple of years old but has Watchguard made any enhancements relative to this discussion and/or can anyone speak to their experience with the GitHub solution? Thanks in advance.
  • ViajazViajaz

    @quedogforlife I am Staj, regarding my script, I responded here https://github.com/Staja/Update-M365EndpointsInWGXML/issues/1

  • ViajazViajaz

    I don't really have time to update and QA my old script (The XML doesn't have a documented schema, too much reverse engineering is needed) but it appears you can now import a List of alias members:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/alias_create_c.html#About

    A PowerShell script that connects to the Office 365 IP Address and URL Web Service, and simply exports lists in the appropriate format, is far simpler, would be quicker to write and would be more enduring that my old solution.

    If there is community interest, I might be able to convince my employer to allocate time for me to write a solution.

  • dtrandtran

    Hello WatchGuard! This has been over three years with no updates! Please hire capable programmers to add this feature to the next update. Thank you.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @dtran
    We already provide content inspection exceptions for Office365, and most Office365 services should traverse a proxy so long as content inspection isn't enabled for those services (effectively doing the same thing as a packet filter.) If you're running into difficulty with your implementation, I'd suggest making a support case so that one of our support representatives can assist determining what might be going wrong.

    -James Carson
    WatchGuard Customer Support

  • T_RT_R

    Hi,

    As of Fireware 12.10 a new alias has been added.

    New Microsoft365 Alias

    A new Microsoft365 alias includes a list of domain names and IP addresses used by Microsoft 365 (previously named Office 365). Add the alias to your policies to allow network traffic to and from Microsoft 365 products and services. WatchGuard updates the alias automatically when Microsoft adds domains and IPs, so you no longer have to manually configure exceptions

  • Rheard1985Rheard1985

    And as of today, still an issue- continuous issue. Is WG going to enhance the alias with a proxy fix?
    Over a year old issue - come on guys!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Rheard1985
    I'd suggest opening a support case if you're still running into an issue. Under most circumstances, the proxy exceptions should work.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.