Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Microsoft office 365 auto installer being blocked by Sophos XG125

Hi

I have deployed sophos XG125 firewall and found that

1. office 365 autoinstaller is being blocked by the XG

2. The use a Citrix client to connect to a website and download some templates in .xlsx format. The file downloads but cannot open. The XG reports the website domain-virus under blocked web attempts (see snapshot)

Anyone with solution for office365 and the blocked web site? Note the file actually downloads but cannot open, gives an extension error.

Regards

Tim



This thread was automatically locked due to age.
  • Hi Tim,

    if i have understood you correctly. 

    Try to add officecdn.microsoft.com and officecdn.microsoft.com.edgesuite.net to your policy.

    Hope that helps.

     

    greetings,

    Olli

  • Hi Olli

    Thanks. I added the domains above and this worked for office 365 installer.

    On the second issue, the client is using citrix retriever to connect to etelmar site. The reports from this site are .xlsx format and have extensions. The files are downloading but they cannot open and give an error about the extension.  If I connect to the same site on another router, the file downloads OK and can open. I noticed that download of the file through the sophos XG125, the file size is smaller. Any one seen this and knows what is happening?

    Regards

    Tim

  • Hi Tim,

    are you using application filter / webfilter policies? 

    Do you have HTTPS Scan enabled? 

    Maybe you can provide some screenshots.

    greetings,

    Olli

  • Hi Olli

    Sorry for delay in response. I am using application and web filter policies

    for application filter. and have also put the domain name in https scanning exception

    HTTPS scanning is not enabled in any policy.

    Regards

    Tm

  • Well I will reply to all similar discussion to help all.

    I discovered that every new firmware upgrading, the manual exception to section WEB \ EXCEPTIONS \Microsoft Windows Update are deleted !

    So first check that the exceptions that you have already inserted are deleted or not and after input again.

    But to check also what Microsoft adds or changes as website from download Office 365.

    Currently 15 may 2017, I discovered that microsoft use also this website: officecdn.microsoft.com.edgesuite.net (akamai provider).

    So for me to have successfully update of Office 365 I need to add these excpetions:

    officecdn.microsoft.com.edgesuite.net (new one manual added)

    and

    ^([A-Za-z0-9.-]*\.)?windows\.com/ (already manual added )

    The defualt reset expections after SFOS 16.05.4 MR-4 were only:

    ^([A-Za-z0-9.-]*\.)?windowsupdate\.com/

    and

    ^([A-Za-z0-9.-]*\.)?microsoft\.com/

    So check if you have ON Microsoft Windows Update and if you add the bold link.

  • Why in the world has this not been addressed in a patch?  We spent quite some time manually installing office and doing windows updates on a new laptop because of this issue.  All because a url is missing from an exception policy?  We've been using the XG for several months now and I've never had so many issues with a firewall. 

  • I couldnt agree more.  Why cant we have a switch we flip on the XG that allows all microsoft and 365 related apps communicate without an issue?  Whenever I have to install 365 I have to disable web scanning to perform that actions. I have entered dozens of exceptions without anything changing.

  • I put in the following exceptions, and was able to get the Office 365 to sucessfully complete:

    ^([A-Za-z0-9.-]*\.)?microsoft\.com/
    ^([A-Za-z0-9.-]*\.)?windowsupdate\.com/
    ^([A-Za-z0-9.-]*\.)?officecdn.microsoft.com.edgesuite.net/
    ^([A-Za-z0-9.-]*\.)?officecdn.microsoft\.com/
    ^([A-Za-z0-9.-]*\.)?windows\.com/

    Initially I had just the officecdn.microsoft.com.edgesuite.net & officecde.microsoft.com urls in the exception. 
    I had to add the other three to get it to work. 

    Hope this helps.

    LThibx