Office 365 in Whitelisted environment
What is WatchGuard Best Practice for allowing Office 365 services in whitelisted environments?
Although https://docs.microsoft.com/en-gb/office365/enterprise/office-365-ip-web-service has a list of FQDNs and IPs, Microsoft has https://docs.microsoft.com/en-gb/office365/enterprise/office-365-ip-web-service for keeping them up to date.
I really don't want to have to manually keep a list up to date or have to code something up that pulls down data from that service and updates our WatchGuard units via SSH or something.
M500 and M370 (12.4.1)
0
Sign In to comment.
Comments
Hi Staj, have you run the exchange connectivity tests from this page ?
https://testconnectivity.microsoft.com/
Microsoft Office Outlook Connectivity Tests -> Outlook Connectivity
I would be interested in the 'best practices', if any. I am about to migrate on-prem exchange to o365 and currently having an error on this test site regarding pinging the MAPI endpoint (and in other areas actually). I'm not overly concerned as I can add account on mobiles from external however would like to avoid any potential issues down the track.
Hi @Staj
Depending on how you're intending to make exceptions, we can already do this.
In your HTTPS proxy action, there is a list of predefined exceptions that can be made. Office 365 and other services are available on this list. Excepting it from content inspection will generally get around any webblocker type blocks that were done with inspection on.
(HTTPS-Proxy: Content Inspection)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/https/https_proxy_contentinspection_c.html
If you've whitelisted by policy IPs/FQDNs, this will have to be done manually
Thank you,
-James Carson
WatchGuard Customer Support
Hello, its a german site but it exists a alias generator for watchguard 365 exceptions
https://www.boc.de/watchguard-info-portal/allgemeines/microsoft-endpoints/
Microsoft offers an API for this. Actually, Watchguard should absolutely implement this. Manual maintenance is out of date.
Hi @MikeKellner
Automatic content inspection exceptions are already in place -- please see the link that I posted above, which goes over how to enable this.
-James Carson
WatchGuard Customer Support
Hello @James_Carson , using a pre-made exception from Watchguard is not what customers want. The update will only come with the next upgrade :-). Especially since it is not an automatism and the content exception only refers to 443. All other ports are neglected by your suggestion. Check out the list provided by Microsoft.
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
There is much more to configure.
Microsoft provides an API. So shouldn't be a problem for programmers and help users.
Hello Mike,
We'll get this logged as an enhancement to simplify integration of MS policies/exceptions.
Ralph
Agreed this is a little Archaic. Honestly the link you provided is worthless to me when trying to figure out what I need to do to actually get this to work without spending a ton of time in reference to this doc/api instructions:
https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
Can you kindly give me specifics in how this would work?
@Ralph What's happening with this? We either need to code up a solution ourselves or decide whether or not we continue with WatchGuard, what is the current status of this improvement?
I've written a PowerShell script that downloads the Microsoft 365 Endpoint Sets and creates Aliases for each and aliases for each Service Area + Port(s) Combo in a WatchGuard Profile Configuration XML. Tried to make it so it can update them in-place in an XML later. Is this useful to anyone?
@Staj Hello Staj, I would be interested in the script. Greetings Mike
@Staj, that PS script sounds interesting to me!
Gregg Hill
@MikeKellner @Greggmh123 @Ralph @cjstark00 @James_Carson
https://github.com/Staja/Update-M365EndpointsInWGXML
Proof of concept only.
@Ralph What is the status of that feature on a/the roadmap? I don't really want to maintain https://github.com/Staja/Update-M365EndpointsInWGXML forever
@quedogforlife I am Staj, regarding my script, I responded here https://github.com/Staja/Update-M365EndpointsInWGXML/issues/1
I don't really have time to update and QA my old script (The XML doesn't have a documented schema, too much reverse engineering is needed) but it appears you can now import a List of alias members:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/alias_create_c.html#About
A PowerShell script that connects to the Office 365 IP Address and URL Web Service, and simply exports lists in the appropriate format, is far simpler, would be quicker to write and would be more enduring that my old solution.
If there is community interest, I might be able to convince my employer to allocate time for me to write a solution.
Hello WatchGuard! This has been over three years with no updates! Please hire capable programmers to add this feature to the next update. Thank you.
Hi @dtran
We already provide content inspection exceptions for Office365, and most Office365 services should traverse a proxy so long as content inspection isn't enabled for those services (effectively doing the same thing as a packet filter.) If you're running into difficulty with your implementation, I'd suggest making a support case so that one of our support representatives can assist determining what might be going wrong.
-James Carson
WatchGuard Customer Support
Hi,
As of Fireware 12.10 a new alias has been added.
New Microsoft365 Alias
A new Microsoft365 alias includes a list of domain names and IP addresses used by Microsoft 365 (previously named Office 365). Add the alias to your policies to allow network traffic to and from Microsoft 365 products and services. WatchGuard updates the alias automatically when Microsoft adds domains and IPs, so you no longer have to manually configure exceptions
And as of today, still an issue- continuous issue. Is WG going to enhance the alias with a proxy fix?
Over a year old issue - come on guys!
Hi @Rheard1985
I'd suggest opening a support case if you're still running into an issue. Under most circumstances, the proxy exceptions should work.
-James Carson
WatchGuard Customer Support