Sophos XG Firewall: How to add Office 365 web exceptions

Overview

  • This article describe the steps to allow Office 365 installation, updates and general usage through the Web Protection module of the Sophos XG Firewall. The specified exceptions resolve the timeout/AV error issues and HTTPS inspection issues.

How to do ?

Method 1

Manually add the Office 365 URLs to the Web Filter Exceptions:

  • Go to Web > Exceptions and then click Add Exception.
  • Name the exception Office365.
  • Flag the options HTTPS Decryption and Malware and Content Scanning under the Skip the selected checks or actions section.
  • Flag the URL pattern matches under the For web traffic matching these criteria section.
  • Insert the following exceptions:

^([A-Za-z0-9.-]*\.)?office365\.com/?
^([A-Za-z0-9.-]*\.)?admin\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?portal\.cloudappsecurity\.com/?
^([A-Za-z0-9.-]*\.)?us\.portal\.cloudappsecurity\.com/?
^([A-Za-z0-9.-]*\.)?eu\.portal\.cloudappsecurity\.com/?
^([A-Za-z0-9.-]*\.)?eu2\.portal\.cloudappsecurity\.com/?
^([A-Za-z0-9.-]*\.)?us2\.portal\.cloudappsecurity\.com/?
^([A-Za-z0-9.-]*\.)?us3\.portal\.cloudappsecurity\.com/?
^([A-Za-z0-9.-]*\.)?onmicrosoft\.com/?
^([A-Za-z0-9.-]*\.)?account\.office\.net/?
^([A-Za-z0-9.-]*\.)?agent\.office\.net/?
^([A-Za-z0-9.-]*\.)?delve\.office\.com/?
^([A-Za-z0-9.-]*\.)?home\.office\.com/?
^([A-Za-z0-9.-]*\.)?portal\.office\.com/?
^([A-Za-z0-9.-]*\.)?suite\.office\.net/?
^([A-Za-z0-9.-]*\.)?webshell\.suite\.office\.com/?
^([A-Za-z0-9.-]*\.)?www\.office\.com/?
^([A-Za-z0-9.-]*\.)?aria\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?portal\.microsoftonline\.com/?
^([A-Za-z0-9.-]*\.)?clientlog\.portal\.office\.com/?
^([A-Za-z0-9.-]*\.)?nexus\.officeapps\.live\.com/?
^([A-Za-z0-9.-]*\.)?nexusrules\.officeapps\.live\.com/?
^([A-Za-z0-9.-]*\.)?amp\.azure\.net/?
^([A-Za-z0-9.-]*\.)?o365weve\.net/?
^([A-Za-z0-9.-]*\.)?auth\.gfx\.ms/?
^([A-Za-z0-9.-]*\.)?appsforoffice\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?assets\.onestore\.ms/?
^([A-Za-z0-9.-]*\.)?az826701\.vo\.msecnd\.net/?
^([A-Za-z0-9.-]*\.)?c\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?c1\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?client\.hip\.live\.com/?
^([A-Za-z0-9.-]*\.)?contentstorage\.osi\.office\.net/?
^([A-Za-z0-9.-]*\.)?dgps\.support\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?docs\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?groupsapi-prod\.outlookgroups\.ms/?
^([A-Za-z0-9.-]*\.)?groupsapi2-prod\.outlookgroups\.ms/?
^([A-Za-z0-9.-]*\.)?groupsapi3-prod\.outlookgroups\.ms/?
^([A-Za-z0-9.-]*\.)?groupsapi4-prod\.outlookgroups\.ms/?
^([A-Za-z0-9.-]*\.)?msdn\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?platform\.linkedin\.com/?
^([A-Za-z0-9.-]*\.)?products\.office\.com/?
^([A-Za-z0-9.-]*\.)?prod\.msocdn\.com/?
^([A-Za-z0-9.-]*\.)?res\.delve\.office\.com/?
^([A-Za-z0-9.-]*\.)?shellprod\.msocdn\.com/?
^([A-Za-z0-9.-]*\.)?support\.content\.office\.com/?
^([A-Za-z0-9.-]*\.)?support\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?support\.office\.com/?
^([A-Za-z0-9.-]*\.)?technet\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?templates\.office\.com/?
^([A-Za-z0-9.-]*\.)?video\.osi\.office\.net/?
^([A-Za-z0-9.-]*\.)?videocontent\.osi\.office\.net/?
^([A-Za-z0-9.-]*\.)?videoplayer\.osi\.office\.net/?
^([A-Za-z0-9.-]*\.)?manage\.office\.com/?
^([A-Za-z0-9.-]*\.)?protection\.office\.com/?
^([A-Za-z0-9.-]*\.)?blob\.core\.windows\.net/?
^([A-Za-z0-9.-]*\.)?helpshift\.com/?
^([A-Za-z0-9.-]*\.)?localytics\.com/?
^([A-Za-z0-9.-]*\.)?firstpartyapps\.oaspapps\.com/?
^([A-Za-z0-9.-]*\.)?outlook\.uservoice\.com/?
^([A-Za-z0-9.-]*\.)?prod\.firstpartyapps\.oaspapps\.com\.akadns\.net/?
^([A-Za-z0-9.-]*\.)?rink\.hockeyapp\.net/?
^([A-Za-z0-9.-]*\.)?sdk\.hockeyapp\.net/?
^([A-Za-z0-9.-]*\.)?telemetryservice\.firstpartyapps\.oaspapps\.com/?
^([A-Za-z0-9.-]*\.)?wus-firstpartyapps\.oaspapps\.com/?
^([A-Za-z0-9.-]*\.)?liverdcxstorage\.blob\.core\.windowsazure\.com/?
^([A-Za-z0-9.-]*\.)?telemetry\.remoteapp\.windowsazure\.com/?
^([A-Za-z0-9.-]*\.)?vortex\.data\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?www\.remoteapp\.windowsazure\.com/?
^([A-Za-z0-9.-]*\.)?hockeyapp\.net/?
^([A-Za-z0-9.-]*\.)?sharepointonline\.com/?
^([A-Za-z0-9.-]*\.)?staffhub\.office\.com/?
^([A-Za-z0-9.-]*\.)?api\.office\.com/?
^([A-Za-z0-9.-]*\.)?enterpriseregistration\.windows\.net/?
^([A-Za-z0-9.-]*\.)?dc\.applicationinsights\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?dc\.services\.visualstudio\.com/?
^([A-Za-z0-9.-]*\.)?forms\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?forms\.office\.com/?
^([A-Za-z0-9.-]*\.)?graph\.windows\.net/?
^([A-Za-z0-9.-]*\.)?mem\.gfx\.ms/?
^([A-Za-z0-9.-]*\.)?office365servicehealthcommunications\.cloudapp\.net/?
^([A-Za-z0-9.-]*\.)?securescore\.office\.com/?
^([A-Za-z0-9.-]*\.)?signup\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?staffhub\.ms/?
^([A-Za-z0-9.-]*\.)?staffhubweb\.azureedge\.net/?
^([A-Za-z0-9.-]*\.)?staffhub\.uservoice\.com/?
^([A-Za-z0-9.-]*\.)?forms\.osi\.office\.net/?
^([A-Za-z0-9.-]*\.)?watson\.telemetry\.microsoft\.com/?
^([A-Za-z0-9.-]*\.)?wu\.client\.hip\.live\.com/?
^([A-Za-z0-9.-]*\.)?testconnectivity\.microsoft\.com/?

Note: For some specific features, it may be required to exclude the following second-level domains altogether:

^([A-Za-z0-9.-]*\.)?microsoft\.com/?
^([A-Za-z0-9.-]*\.)?msocdn\.com/?
^([A-Za-z0-9.-]*\.)?office\.com/?
^([A-Za-z0-9.-]*\.)?office\.net/?
^([A-Za-z0-9.-]*\.)?onmicrosoft\.com/?

  • Click Save and verify that the exception is active.

Note:

  • The exception created does not bypass the policy checks. If it is required to bypass the policy checks, enable the Policy Checks option under the Skip the selected checks or actions section.
  • The exceptions provided in this article are the base exception. Microsoft continuously updates their IP addresses and domains. Please refer to Office 365 URLs and IP address ranges for an updated list.

Method 2

Import exception list through XG’s Backup & firmware > Import export.

  • (1) Download the exception lists here.
  • Extract the content of the zip file. The zip file contains the following:

API-O365-all.tar – this is a comprehensive set of 108 exceptions, every web URL that Microsoft list
API-O365-required.tar – this a subset of 50 exceptions corresponding to the groups that Microsoft says are ‘required’
API-O365-minimal.tar – this is a subset of 10 exceptions that correspond to the groups Microsoft says are ‘required’ and flag as ‘optimize’ or ‘allow’

Upload one of the files as needed.

  • On the XG Firewall Web Console, navigate to System > Backup & firmware Import export.
  • Click Choose File and browse to the location where the files have been extracted on step 1.
  • Once the file has been selected, click on Import.
  • Once imported, go to Web > Exceptions and enable the exception.

Be the first to comment

Leave a Reply

Your email address will not be published.


*