Outlook 365 certificate/pop up issues with Geolocation

Sam

I have several customers with Watchguard Fireboxes who also are MS 365 subscribers. In recent weeks there has been quite an uptick in users receiving certificate errors in Outlook and/or being prompted for their 365 password frequently. It seems to be the geolocation policy that is blocking IPs internationally from MS Datacenters around the globe. I have logged a ticket with WG on this and so far their only response is to whitelist the IPs as they come up. Problem is, there are just so many and they change every single day, so little progress is actually being made.

Wondering if anyone else here as experienced this issue and if so, is there a more practical policy in place to prevent all this. So far the only other suggestion I have heard is only block a handful of countries. Right now we block most anything outside the US/Canada and western Europe.

james.carson

The issue is mainly rooted around some of Microsoft's services sometimes resolving to out of region servers for their services. Microsoft may do this from time to time for disaster recovery, to load balance, or simply to test.

Unless you have a specific reason to be blocking outbound web traffic to other countries, I'd suggest relaxing your geolocation policy for that outbound web traffic at least to countries with datacenters that you encounter these types of issues with.
If your geolocation policy must remain as-is, Unfouranetely, exceptions are the way to go. FQDN exceptions can help, however, the firewall needs to see the DNS queries the clients are making in order to be able to cache the responses and add them to the firewall rules.