Hello there,
I have plan to create rule to allow some hosts & IP ranges Microsoft 365 Common and Office Online for deploy hybrid system Azure with on-premises AD server. This is configuration on firewall Sophos UTM. Below is a example:
My question is: when I add many host & IP ranges, does it affect to performance of my device?
It is the best if have any KB about this. Thanks in advance
Brds,
Vu
Hello VuHuynh,
It is not recommended to put the Office 365 bypasses in as firewall rules because the IP ranges can constantly change and update as Microsoft make changes.
It is perfectly acceptable and recommended to only have exceptions put into the Web Filter as the issue that prevents O365 services working properly is certificate pinning so therefore HTTPS Exceptions will do the trick as long as Web Protection is enabled.
If you have Web Protection enabled, go to Web Protection > Filtering Options > Exceptions and add new exception. Select the check boxes for skip checks for "SSL Scanning", you can also do so for URL filter but it is unlikely you will have category blocked O365 services and I would not recommend a URL filter exception unless absolutely needed.
For the conditions, change the drop down to "matching these URLs" and in the box that appears click the dropdown and select import then copy and past the exceptions list below in:
^https?://([A-Za-z0-9.-]*\.)?office365\.com/?
^https?://([A-Za-z0-9.-]*\.)?admin\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?portal\.cloudappsecurity\.com/?
^https?://([A-Za-z0-9.-]*\.)?us\.portal\.cloudappsecurity\.com/?
^https?://([A-Za-z0-9.-]*\.)?eu\.portal\.cloudappsecurity\.com/?
^https?://([A-Za-z0-9.-]*\.)?eu2\.portal\.cloudappsecurity\.com/?
^https?://([A-Za-z0-9.-]*\.)?us2\.portal\.cloudappsecurity\.com/?
^https?://([A-Za-z0-9.-]*\.)?us3\.portal\.cloudappsecurity\.com/?
^https?://([A-Za-z0-9.-]*\.)?onmicrosoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?account\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?agent\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?delve\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?home\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?portal\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?suite\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?webshell\.suite\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?www\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?aria\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?portal\.microsoftonline\.com/?
^https?://([A-Za-z0-9.-]*\.)?clientlog\.portal\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?nexus\.officeapps\.live\.com/?
^https?://([A-Za-z0-9.-]*\.)?nexusrules\.officeapps\.live\.com/?
^https?://([A-Za-z0-9.-]*\.)?amp\.azure\.net/?
^https?://([A-Za-z0-9.-]*\.)?o365weve\.net/?
^https?://([A-Za-z0-9.-]*\.)?auth\.gfx\.ms/?
^https?://([A-Za-z0-9.-]*\.)?appsforoffice\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?assets\.onestore\.ms/?
^https?://([A-Za-z0-9.-]*\.)?az826701\.vo\.msecnd\.net/?
^https?://([A-Za-z0-9.-]*\.)?c\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?c1\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?client\.hip\.live\.com/?
^https?://([A-Za-z0-9.-]*\.)?contentstorage\.osi\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?dgps\.support\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?docs\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?groupsapi-prod\.outlookgroups\.ms/?
^https?://([A-Za-z0-9.-]*\.)?groupsapi2-prod\.outlookgroups\.ms/?
^https?://([A-Za-z0-9.-]*\.)?groupsapi3-prod\.outlookgroups\.ms/?
^https?://([A-Za-z0-9.-]*\.)?groupsapi4-prod\.outlookgroups\.ms/?
^https?://([A-Za-z0-9.-]*\.)?msdn\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?platform\.linkedin\.com/?
^https?://([A-Za-z0-9.-]*\.)?products\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?prod\.msocdn\.com/?
^https?://([A-Za-z0-9.-]*\.)?res\.delve\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?shellprod\.msocdn\.com/?
^https?://([A-Za-z0-9.-]*\.)?support\.content\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?support\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?support\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?technet\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?templates\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?video\.osi\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?videocontent\.osi\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?videoplayer\.osi\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?manage\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?protection\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?blob\.core\.windows\.net/?
^https?://([A-Za-z0-9.-]*\.)?helpshift\.com/?
^https?://([A-Za-z0-9.-]*\.)?localytics\.com/?
^https?://([A-Za-z0-9.-]*\.)?connect\.facebook\.net/?
^https?://([A-Za-z0-9.-]*\.)?firstpartyapps\.oaspapps\.com/?
^https?://([A-Za-z0-9.-]*\.)?outlook\.uservoice\.com/?
^https?://([A-Za-z0-9.-]*\.)?prod\.firstpartyapps\.oaspapps\.com\.akadns\.net/?
^https?://([A-Za-z0-9.-]*\.)?rink\.hockeyapp\.net/?
^https?://([A-Za-z0-9.-]*\.)?sdk\.hockeyapp\.net/?
^https?://([A-Za-z0-9.-]*\.)?telemetryservice\.firstpartyapps\.oaspapps\.com/?
^https?://([A-Za-z0-9.-]*\.)?wus-firstpartyapps\.oaspapps\.com/?
^https?://([A-Za-z0-9.-]*\.)?liverdcxstorage\.blob\.core\.windowsazure\.com/?
^https?://([A-Za-z0-9.-]*\.)?telemetry\.remoteapp\.windowsazure\.com/?
^https?://([A-Za-z0-9.-]*\.)?vortex\.data\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?www\.remoteapp\.windowsazure\.com/?
^https?://([A-Za-z0-9.-]*\.)?hockeyapp\.net/?
^https?://([A-Za-z0-9.-]*\.)?sharepointonline\.com/?
^https?://([A-Za-z0-9.-]*\.)?staffhub\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?api\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?enterpriseregistration\.windows\.net/?
^https?://([A-Za-z0-9.-]*\.)?dc\.applicationinsights\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?dc\.services\.visualstudio\.com/?
^https?://([A-Za-z0-9.-]*\.)?forms\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?forms\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?graph\.windows\.net/?
^https?://([A-Za-z0-9.-]*\.)?mem\.gfx\.ms/?
^https?://([A-Za-z0-9.-]*\.)?office365servicehealthcommunications\.cloudapp\.net/?
^https?://([A-Za-z0-9.-]*\.)?securescore\.office\.com/?
^https?://([A-Za-z0-9.-]*\.)?signup\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?staffhub\.ms/?
^https?://([A-Za-z0-9.-]*\.)?staffhubweb\.azureedge\.net/?
^https?://([A-Za-z0-9.-]*\.)?staffhub\.uservoice\.com/?
^https?://([A-Za-z0-9.-]*\.)?forms\.osi\.office\.net/?
^https?://([A-Za-z0-9.-]*\.)?watson\.telemetry\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?wu\.client\.hip\.live\.com/?
^https?://([A-Za-z0-9.-]*\.)?testconnectivity\.microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?microsoft\.com/?
^https?://([A-Za-z0-9.-]*\.)?msocdn\.com/?
^https?://([A-Za-z0-9.-]*\.)?office\.com/?
^https?://([A-Za-z0-9.-]*\.)?office\.net/?
These exceptions have been generated by translating the exceptions from XG format to UTM format from this KB article: https://community.sophos.com/kb/en-us/132291
On the topic of large numbers of objects in the UTM, as Jaydeep says it will not be noticed by the end user but it will kill the performance of the webadmin GUI so I only recommend objects be created where necessary and regular cleanups done. I have seen GUIs on 400-series appliances crawl because they have around 7000 objects and after culling them down to about a 1000, the performance difference is very dramatic. It is because of the way the UTM handles the objects and them being available as a sidebar access on all pages (from what I understand).
Hope that helps.
Emile
Chào Vu,
Yes, follow the prescription posted by Emile rather than fighting to make so many network objects. You can paste his list right into the import option in an Exception.
Cheers - Bob
