Dear all,
we are currently not using a Sophos product for Internet access (neither as proxy nor as the outgoing gateway) but are looking into Sophos XG to replace our current proxy (Microsoft TMG 2010) with it. In preparation of implementing the Sophos XG I would like to know about features in the product in order to make sure the configuration for Internet access can be aligned with the Office 365 Network Principles. Please see below for further information on the topic.
We are currently moving our roughly 700 users from Office 2010 & Exchange 2010 to Office 365 and Exchange Online and so far everything works quite well. Regarding handling of Office 365 network traffic we have read the Office 365 Network Principles from Microsoft:
docs.microsoft.com/.../office-365-network-connectivity-principles
Usually all our clients can only access the Internet using a proxy server that is explicitely configured in the OS by GPO. Traffic that not traverses the proxy server is usually blocked and needs to be explicitly allowed on our outbound router.
Following the guidlines to seperate traffic destined for Office 365 we have deployed proxy settings to our clients that exclude traffic for all Office 365 destinations from the "Optimized Category" (i.e. *.sharepoint.com; outlook.office365.com etc.) so that traffic to those targets is routed directly (as recommended by Microsoft). Traffic to those endpoints is allowed as per the Office 365 URLs and IP address ranges:
docs.microsoft.com/.../urls-and-ip-address-ranges
We are using a script that reads the corresponding IP addresses from the Office 365 IP Address and URL web service to update the firewall rules on the outbound router.
So basically the concept is:
1. Traffic to Office 365 endpoints from the Optimize category is routed directly
2. All other http/https traffic is traversing the explicitly configured proxy server
We now have experienced connectivity issues with Outlook and found that some of the IP addresses that Outlook is connecting to are not listed in the Office 365 URLs and IP address ranges. For example, when resolving outlook.office365.com the DNS returns addresses that are not included in the list but Outlook is connecting to. I have posted the issue this along with a more detailed description on the Github site as feedback for the Office 365 URLs and IP address ranges website:
github.com/.../543
Others have posted about similar issues as well. As we obviously cannot rely on the Office 365 URLs and IP address ranges (since not all addresses are included) we have now allowed all outbound https traffic on our outbound router. The Outlook connectivity issues are solved now, but all clients now have direct outbound https access to the whole Internet which could pose a security risk if a user removes the GPO configured proxy and uses the direct outbound access for other traffic as well.
The problem could theoretically be solved if we use the explicitly configured proxy for all Office 365 traffic as well. In this case, DNS resolution is done at the proxy. If the proxy allows all outgoing connections to a particular URL like https://outlook.office365.com/ then the IP addresses don't matter anymore since the proxy can allow access solely based on the URL which it receives from the client. Using a proxy for Office 365 traffic however does not align with the recommendations by Microsoft and can lead to usability issues and performance problems.
In addition to that all our clients are dual stacked and have both IPv6 GUA and private IPV4 addresses. Besides following the recommendations from Microsoft for avoiding proxy services we also would prefer using IPv6 point to point connections between our clients and the Office 365 servers.
Does Sophos XG come with any features to provide this functionality even under the condition that the endpoints included in the Office 365 IP Address and URL web service from Microsoft are NOT complete? If the list from Microsoft WOULD be complete it of course would work as follows:
a) We are using an explicitly configured proxy for normal web traffic
b) We exclude Office 365 URLs from the client configuration
c) Clients would resolve those Office 365 URLs in DNS by themselves
d) Traffic to the resolved IP addresses is routed directly to the Sophos XG which also acts as transparent proxy
e) Sophos XG is aware of the Office 365 IP addresses and excludes this traffic from the proxy service and routes it directly
f) All other traffic is redirected to the proxy service where filtering is applied
However, since the list from Microsoft is NOT complete this will lead to cases in which traffic to Office 365 IP addresses is NOT excluded from the proxy service and therefore filtering is applied (which breaks usability). Or as in our current case: The traffic is completely blocked.
Is it possible to monitor traffic that is routed directly to the Sophos XG on the application layer before it is redirected to the proxy service? Then we maybe could look for the URL in the HTTP headers or TLS client handshake (in case of TLS) within the traffic and decide based on that if we route traffic directly or pass it through the proxy service. Well...but thinking through it I guess this wouldn't even work since we are receiving the information from HTTP headers / TLS handshake only AFTER establishing the initial TCP connection. And we cannot switch the connection between from direct to proxy or otherwise AFTER the TCP handshake has been completed (and this of course would BREAK the connection).
I therefore guess that we have no other options than to configure the XG as explicit proxy for normal web traffic and exclude Office 365 URLs directly on the client and route that traffic directly (with all outgoing https traffic allowed, since IP addresses are not correctly defined).
Anyway, any thoughts on Office 365 traffic separation with Sophos XG is appreciated.
Thanks
Michael
This thread was automatically locked due to age.
