Sophos Firewall: Integration with Azure Stack-Hub

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


What is Azure Stack Hub?

Part of the Azure Stack portfolio, Azure Stack Hub broadens Azure to let you run apps in an on-premises environment and deliver Azure services in your datacenter. As organizations race to digitally transform, many are finding they can move faster by using public cloud services to build on modern architectures and refresh legacy apps. Many workloads, however, must remain on-premises – for example, due to technological and regulatory obstacles.

The following diagram provides an ideal setup of the Azure Stack Hub with the Sophos firewall as an Edge Firewall.

 

  • From the above diagram, Sophos is connected to the border-devices in a full-mesh connection.
  • Sophos Firewall can be deployed in a route mode (Layer 3) for more details on how to get started with the set-up of the Sophos firewall please refer to this Video
  • It's highly recommended to configure the Sophos firewall in Active-Passive high availability for redundancy purposes, more details on how to configure the HA can be found here.
  • Azure Stack hub is deployed directly behind the Border routers (in certain cases Azure stack hub can be deployed directly behind the Sophos firewall bypassing the border routers.

Network infrastructure :

The network infrastructure for Azure Stack consists of several logical networks that are configured on the switches. The following diagram shows these logical networks and how they integrate with the top-of-rack (TOR), baseboard management controller (BMC), and border (customer network) switches.

We connect the firewall to the border switch

 

 External Network (Public VIPs)

The Sophos firewall will receive traffic from the external Public VIP subnet, the public VIP can be in between /26 (62 hosts) and /22 (1022 hosts).

 Azure Stack uses a total of 31 addresses from this network. Eight public IP addresses are used for a small set of Azure Stack services and the rest are used by tenant VMs. If you plan to use App Service and the SQL resource providers, 7 more addresses are used. The remaining 15 IPs are reserved for future Azure services.

Configuration on Sophos firewall:

As a customer, you can have 2 different approaches to setup the Sophos firewall as an upstream transparent proxy. Sophos firewall uses a proxy less web filtering solution that subjects the web traffic through the stream-based DPI engine.

  1. Sophos to filter just the 31 addresses from the public VIP and allow access to just a group of FQDNs that Microsoft recommends that Azure stack hub will need access to.
  2. Alternatively, the administrator can choose to have the entire Public VIPs to go thru the firewall web filtering, including the tenant VMs.

Step by Step Configuration

Microsoft strictly recommends not to implement TLS inspection on traffic from the Azure Stack hub.

To configure the Sophos firewall to filter the traffic generated by Azure stack hub, the administrator must configure the Sophos in Layer 3 and configure stateful High availability.

Step 1: Download the APIFQDN.tar file.

Step 2: From the UI Navigate to system > Backup and Firmware > Import / Export > Select the file and import

 

 

This step will import all the FQDNs that Microsoft recommends for outbound communication from the Azure stack hub to Microsoft services. The link to the document can be found here.

Step 3: Download the APIFQDNGroup.tar Import the FQDN host groups from system > Backup and Firmware > Import/Export. > Import the APIFQDNGroup.tar

To verify if the import is successful navigate to system > Hosts and Services > FQDN host > Click on the funnel icon and type “stack” and apply.

To verify if the group import is successful You should see the imported groups Under FQDN host group.

 

Step 4: Create a static route for the Public VIP as the public VIP is behind a Border switch which is a layer 3, the firewall needs a static route, navigate to Configure > routing > static routing > add

 

 

Step 5: Delete all the default rules and groups, Navigate to protect > rules and policies > Select all the policies and delete

Step 6: Create a firewall rule to allow Microsoft FQDNs. Navigate to protect > Rules and Policies > Add Firewall Rules > New Firewall Rule

 

 

 

Rule name : <firewall rule name>

Action: Accept

Log Firewall traffic: Checked

Rule Position: Top

Rule group: None

Source Zone: LAN

Source Network: <Any> or <Create an object for the Public VIP Network>

Destination Zone: WAN

Destination network: Clock on “Add new Item” > Show Only > FQDN Host group (Add the following objects from group”)

Under Destination network click on “Add new item” > Show only > FQDN host ( add the following objects from the FQDN host)

Match Unknown Users: Unchecked

Under Security Features

Web Policy: Allow All

Block Quic Protocol: Checked

Click on Save

Step 7: Create another rule for non HTTP services to be allowed from the public VIP

               Navigate to system > Hosts and Objects > Services > Add

 

Step 8: Create a firewall rule to allow these non HTTP services from the stack hub

  

 

Step 9: Create a default Deny All policy at the bottom of the rule stack as shown below

 

Step 10: Check for the Default SNAT policy, the firewall should have a Default SNAT policy as a part of the factory config that translates the source ip in to a Public routable IP address.

 

 This should enable the Stack hub to use the Sophos firewall as a transparent proxy solution.

NOTE:

APIFQDN.tar

This file is the APIFQDN.tar please click on Download, once it is downloaded, change the name to APIFQDN, and using a 3rd party application, please save the file as .TAR

<?xml version="1.0" encoding="UTF-8"?>
<Configuration APIVersion="1800.1" IPS_CAT_VER="1">
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub1</Name>
    <FQDN>*.windows.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub2</Name>
    <FQDN>*.microsoftonline.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub3</Name>
    <FQDN>secure.aadcdn.microsoftonline-p.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub4</Name>
    <FQDN>*.office.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub5</Name>
    <FQDN>management.core.windows.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub6</Name>
    <FQDN>*.azure.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub7</Name>
    <FQDN>*.msftauth.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub8</Name>
    <FQDN>*.msauth.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_stackhub9</Name>
    <FQDN>*.msocdn.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_Azure_Government1</Name>
    <FQDN>login.microsoftonline.us</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_Azure_Government2</Name>
    <FQDN>graph.windows.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_Azure China 21Vianet1</Name>
    <FQDN>login.chinacloudapi.cn</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_Azure China 21Vianet2</Name>
    <FQDN>graph.chinacloudapi.cn</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_Azure Germany1</Name>
    <FQDN>login.microsoftonline.de</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS_Identity_Azure Germany2</Name>
    <FQDN>graph.cloudapi.de</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Marketplace_syndication_Azure1</Name>
    <FQDN>management.azure.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Marketplace_syndication_Azure2</Name>
    <FQDN>*.blob.core.windows.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Marketplace_syndication_Azure3</Name>
    <FQDN>*.azureedge.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Marketplace_syndication_Azure_Govt1</Name>
    <FQDN>management.usgovcloudapi.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Marketplace_syndication_Azure_Govt2</Name>
    <FQDN>*.blob.core.usgovcloudapi.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Marketplace_syndication_Azure China_21Vianet1</Name>
    <FQDN>management.chinacloudapi.cn</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Marketplace_syndication_Azure China_21Vianet2</Name>
    <FQDN>*.blob.core.chinacloudapi.cn</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Patch_Update</Name>
    <FQDN>aka.ms</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Registration_Azure</Name>
    <FQDN>management.azure.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Usage_Azure</Name>
    <FQDN>*.trafficmanager.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Registration_Azure_Govt</Name>
    <FQDN>management.usgovcloudapi.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Usage_Azure_Govt</Name>
    <FQDN>*.usgovtrafficmanager.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Usage_Azure China 21Vianet</Name>
    <FQDN>*.trafficmanager.cn</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Windows_Defender_1</Name>
    <FQDN>*.wdcp.microsoft.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Windows_Defender_2</Name>
    <FQDN>*.wdcpalt.microsoft.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Windows_Defender_3</Name>
    <FQDN>*.wd.microsoft.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Windows_Defender_4</Name>
    <FQDN>*.update.microsoft.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Windows_Defender_5</Name>
    <FQDN>*.download.microsoft.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Windows_Defender_6</Name>
    <FQDN>secure.aadcdn.microsoftonline-p.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Microsoft</Name>
    <FQDN>*.microsoft.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>MS</Name>
    <FQDN>microsoft.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Diagnostic Log Collection1</Name>
    <FQDN>azsdiagppelocalwestus02.blob.core.windows.net</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Diagnostic Log Collection2</Name>
    <FQDN>azsdiagppewestusfrontend.westus.cloudapp.azure.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Diagnostic Log Collection3</Name>
    <FQDN>azsdiagprdwestusfrontend.westus.cloudapp.azure.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>stackhub1</Name>
    <FQDN>*.deploy.static.akamaitechnologies.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Stackhub_portal</Name>
    <FQDN>adminportal.3171r16a.azcatcpec.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Stackhub_tenant_portal</Name>
    <FQDN>portal.3171r16a.azcatcpec.com</FQDN>
  </FQDNHost>
  <FQDNHost transactionid="">
    <Name>Stackhub_Wildcard</Name>
    <FQDN>*.3171r16a.azcatcpec.com</FQDN>
  </FQDNHost>
  <FQDNHostGroup transactionid="">
    <Name>Stackhub_Identity</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>MS_Identity_stackhub1</FQDNHost>
      <FQDNHost>MS_Identity_stackhub2</FQDNHost>
      <FQDNHost>MS_Identity_stackhub3</FQDNHost>
      <FQDNHost>MS_Identity_stackhub4</FQDNHost>
      <FQDNHost>MS_Identity_stackhub5</FQDNHost>
      <FQDNHost>MS_Identity_stackhub6</FQDNHost>
      <FQDNHost>MS_Identity_stackhub7</FQDNHost>
      <FQDNHost>MS_Identity_stackhub8</FQDNHost>
      <FQDNHost>MS_Identity_stackhub9</FQDNHost>
      <FQDNHost>MS_Identity_Azure_Government1</FQDNHost>
      <FQDNHost>MS_Identity_Azure_Government2</FQDNHost>
      <FQDNHost>MS_Identity_Azure China 21Vianet1</FQDNHost>
      <FQDNHost>MS_Identity_Azure China 21Vianet2</FQDNHost>
      <FQDNHost>MS_Identity_Azure Germany1</FQDNHost>
      <FQDNHost>MS_Identity_Azure Germany2</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Marketplace syndication</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Marketplace_syndication_Azure1</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure2</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure3</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure_Govt1</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure_Govt2</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure China_21Vianet1</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure China_21Vianet2</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Registration</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Registration_Azure</FQDNHost>
      <FQDNHost>Registration_Azure_Govt</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Usage</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Usage_Azure</FQDNHost>
      <FQDNHost>Usage_Azure_Govt</FQDNHost>
      <FQDNHost>Usage_Azure China 21Vianet</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Windows_Defender</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Windows_Defender_1</FQDNHost>
      <FQDNHost>Windows_Defender_2</FQDNHost>
      <FQDNHost>Windows_Defender_3</FQDNHost>
      <FQDNHost>Windows_Defender_4</FQDNHost>
      <FQDNHost>Windows_Defender_5</FQDNHost>
      <FQDNHost>Windows_Defender_6</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Diagnostic Log Collection</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Diagnostic Log Collection1</FQDNHost>
      <FQDNHost>Diagnostic Log Collection2</FQDNHost>
      <FQDNHost>Diagnostic Log Collection3</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FqdnHostSetting transactionid="">
    <CacheTTL>Dns_Reply_TTL</CacheTTL>
    <IdleTimeout>Default</IdleTimeout>
  </FqdnHostSetting>
</Configuration>

API-FQDNGroup.tar

This file is the API-FQDNGroup.tar please click on Download, once it is downloaded, change the name to API-FQDNGroup, and using a 3rd party application, please save the file as .TAR

<?xml version="1.0" encoding="UTF-8"?>
<Configuration APIVersion="1800.1" IPS_CAT_VER="1">
  <FQDNHostGroup transactionid="">
    <Name>Salesforce</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.content.force.com</FQDNHost>
      <FQDNHost>*.force.com</FQDNHost>
      <FQDNHost>*.salesforce.com</FQDNHost>
      <FQDNHost>*.staticforce.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Dropbox</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.db.tt</FQDNHost>
      <FQDNHost>*.dropbox.com</FQDNHost>
      <FQDNHost>*.dropboxapi.com</FQDNHost>
      <FQDNHost>*.dropboxbusiness.com</FQDNHost>
      <FQDNHost>*.dropboxdocs.com</FQDNHost>
      <FQDNHost>*.dropboxforums.com</FQDNHost>
      <FQDNHost>*.dropboxforum.com</FQDNHost>
      <FQDNHost>*.dropboxinsiders.com</FQDNHost>
      <FQDNHost>*.dropboxmail.com</FQDNHost>
      <FQDNHost>*.dropboxpartners.com</FQDNHost>
      <FQDNHost>*.dropboxstatic.com</FQDNHost>
      <FQDNHost>*.dropbox.zendesk.com</FQDNHost>
      <FQDNHost>*.getdropbox.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>box.com</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.box.com</FQDNHost>
      <FQDNHost>*.boxcloud.com</FQDNHost>
      <FQDNHost>*.boxlocalhost.com</FQDNHost>
      <FQDNHost>*.box.net</FQDNHost>
      <FQDNHost>*.boxcdn.net</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>join.me</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.join.me</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>logme.in</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.logme.in</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Amazon Cloudfront</Name>
    <Description/>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>GotoAssist</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.assist.com</FQDNHost>
      <FQDNHost>*.gotoassist.me</FQDNHost>
      <FQDNHost>*.gotoassist.at</FQDNHost>
      <FQDNHost>*.gotoassist.com</FQDNHost>
      <FQDNHost>*.go2assist.me</FQDNHost>
      <FQDNHost>*.fastsupport.com</FQDNHost>
      <FQDNHost>*.helpme.net</FQDNHost>
      <FQDNHost>*.gofastchat.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>GotoWebinar</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.gotowebinar.com</FQDNHost>
      <FQDNHost>*.joinwebinar.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>GotoMeeting</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.joingotomeeting.com</FQDNHost>
      <FQDNHost>*.gotomeet.me</FQDNHost>
      <FQDNHost>*.gotomeet.at</FQDNHost>
      <FQDNHost>*.gotomeeting.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>GotoMyPC</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.gotomypc.com</FQDNHost>
      <FQDNHost>*.openvoice.com</FQDNHost>
      <FQDNHost>*.api.filepicker.io</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>GotoTraining</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.jointraining.com</FQDNHost>
      <FQDNHost>*.gototraining.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Sharefile</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.sharefile.com</FQDNHost>
      <FQDNHost>*.sharefileftp.com</FQDNHost>
      <FQDNHost>*.sharefile-webdav.com</FQDNHost>
      <FQDNHost>*.sharefile.eu</FQDNHost>
      <FQDNHost>*.securevdr.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Podio</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.podio.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Other Citrix domains</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.citrixonlinecdn.com</FQDNHost>
      <FQDNHost>*.sf-api.com</FQDNHost>
      <FQDNHost>*.expertcity.com</FQDNHost>
      <FQDNHost>*.sf-api.eu</FQDNHost>
      <FQDNHost>*.getgocdn.com</FQDNHost>
      <FQDNHost>*.hu.tt</FQDNHost>
      <FQDNHost>*.osdimg.com</FQDNHost>
      <FQDNHost>*.citrixonline.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Apple Services</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.apple.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>iCloud</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.icloud.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Microsoft Services</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Microsoft</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Skype</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.messenger.live.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Netflix</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>*.netflix.com</FQDNHost>
      <FQDNHost>*.nflxext.com</FQDNHost>
      <FQDNHost>*.nflximg.net</FQDNHost>
      <FQDNHost>*.nflxso.net</FQDNHost>
      <FQDNHost>*.nflxvideo.net</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Google API Hosts</Name>
    <Description>Access to Google APIs for Chromebook SSO auth</Description>
    <FQDNHostList>
      <FQDNHost>*.clients.l.google.com</FQDNHost>
      <FQDNHost>*.googleapis.com</FQDNHost>
      <FQDNHost>m.google.com</FQDNHost>
      <FQDNHost>mobile.l.google.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Google Chrome Web Store</Name>
    <Description>Access to Google Web Store and other Google Services</Description>
    <FQDNHostList>
      <FQDNHost>chrome.google.com</FQDNHost>
      <FQDNHost>apis.google.com</FQDNHost>
      <FQDNHost>googleapis.l.google.com</FQDNHost>
      <FQDNHost>*.gstatic.com</FQDNHost>
      <FQDNHost>*.client-channel.google.com</FQDNHost>
      <FQDNHost>*.googleusercontent.com</FQDNHost>
      <FQDNHost>clients.l.google.com</FQDNHost>
      <FQDNHost>clients1.google.com</FQDNHost>
      <FQDNHost>clients2.google.com</FQDNHost>
      <FQDNHost>clients3.google.com</FQDNHost>
      <FQDNHost>clients4.google.com</FQDNHost>
      <FQDNHost>clients5.google.com</FQDNHost>
      <FQDNHost>clients6.google.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>SafeSearch enforcement</Name>
    <Description>SafeSearch enforcement requires the web proxy. Use this FQDN group in a firewall rule to ensure that all affected traffic is handled by the proxy.</Description>
    <FQDNHostList>
      <FQDNHost>www.google.ba</FQDNHost>
      <FQDNHost>www.bing.com</FQDNHost>
      <FQDNHost>www2.bing.com</FQDNHost>
      <FQDNHost>www4.bing.com</FQDNHost>
      <FQDNHost>wp.m.bing.com</FQDNHost>
      <FQDNHost>google.com</FQDNHost>
      <FQDNHost>*.google.com</FQDNHost>
      <FQDNHost>www.google.ad</FQDNHost>
      <FQDNHost>www.google.ae</FQDNHost>
      <FQDNHost>www.google.com.af</FQDNHost>
      <FQDNHost>www.google.com.ag</FQDNHost>
      <FQDNHost>www.google.com.ai</FQDNHost>
      <FQDNHost>www.google.al</FQDNHost>
      <FQDNHost>www.google.am</FQDNHost>
      <FQDNHost>www.google.co.ao</FQDNHost>
      <FQDNHost>www.google.com.ar</FQDNHost>
      <FQDNHost>www.google.as</FQDNHost>
      <FQDNHost>www.google.at</FQDNHost>
      <FQDNHost>www.google.com.au</FQDNHost>
      <FQDNHost>www.google.az</FQDNHost>
      <FQDNHost>www.google.com.bd</FQDNHost>
      <FQDNHost>www.google.be</FQDNHost>
      <FQDNHost>www.google.bf</FQDNHost>
      <FQDNHost>www.google.bg</FQDNHost>
      <FQDNHost>www.google.com.bh</FQDNHost>
      <FQDNHost>www.google.bi</FQDNHost>
      <FQDNHost>www.google.bj</FQDNHost>
      <FQDNHost>www.google.com.bn</FQDNHost>
      <FQDNHost>www.google.com.bo</FQDNHost>
      <FQDNHost>www.google.com.br</FQDNHost>
      <FQDNHost>www.google.bs</FQDNHost>
      <FQDNHost>www.google.bt</FQDNHost>
      <FQDNHost>www.google.co.bw</FQDNHost>
      <FQDNHost>www.google.by</FQDNHost>
      <FQDNHost>www.google.com.bz</FQDNHost>
      <FQDNHost>www.google.ca</FQDNHost>
      <FQDNHost>www.google.cd</FQDNHost>
      <FQDNHost>www.google.cf</FQDNHost>
      <FQDNHost>www.google.cg</FQDNHost>
      <FQDNHost>www.google.ch</FQDNHost>
      <FQDNHost>www.google.ci</FQDNHost>
      <FQDNHost>www.google.co.ck</FQDNHost>
      <FQDNHost>www.google.cl</FQDNHost>
      <FQDNHost>www.google.cm</FQDNHost>
      <FQDNHost>www.google.cn</FQDNHost>
      <FQDNHost>www.google.com.co</FQDNHost>
      <FQDNHost>www.google.co.cr</FQDNHost>
      <FQDNHost>www.google.com.cu</FQDNHost>
      <FQDNHost>www.google.cv</FQDNHost>
      <FQDNHost>www.google.com.cy</FQDNHost>
      <FQDNHost>www.google.cz</FQDNHost>
      <FQDNHost>www.google.de</FQDNHost>
      <FQDNHost>www.google.dj</FQDNHost>
      <FQDNHost>www.google.dk</FQDNHost>
      <FQDNHost>www.google.dm</FQDNHost>
      <FQDNHost>www.google.com.do</FQDNHost>
      <FQDNHost>www.google.dz</FQDNHost>
      <FQDNHost>www.google.com.ec</FQDNHost>
      <FQDNHost>www.google.ee</FQDNHost>
      <FQDNHost>www.google.com.eg</FQDNHost>
      <FQDNHost>www.google.es</FQDNHost>
      <FQDNHost>www.google.com.et</FQDNHost>
      <FQDNHost>www.google.fi</FQDNHost>
      <FQDNHost>www.google.com.fj</FQDNHost>
      <FQDNHost>www.google.fm</FQDNHost>
      <FQDNHost>www.google.fr</FQDNHost>
      <FQDNHost>www.google.ga</FQDNHost>
      <FQDNHost>www.google.ge</FQDNHost>
      <FQDNHost>www.google.gg</FQDNHost>
      <FQDNHost>www.google.com.gh</FQDNHost>
      <FQDNHost>www.google.com.gi</FQDNHost>
      <FQDNHost>www.google.gl</FQDNHost>
      <FQDNHost>www.google.gm</FQDNHost>
      <FQDNHost>www.google.gp</FQDNHost>
      <FQDNHost>www.google.gr</FQDNHost>
      <FQDNHost>www.google.com.gt</FQDNHost>
      <FQDNHost>www.google.gy</FQDNHost>
      <FQDNHost>www.google.com.hk</FQDNHost>
      <FQDNHost>www.google.hn</FQDNHost>
      <FQDNHost>www.google.hr</FQDNHost>
      <FQDNHost>www.google.ht</FQDNHost>
      <FQDNHost>www.google.hu</FQDNHost>
      <FQDNHost>www.google.co.id</FQDNHost>
      <FQDNHost>www.google.ie</FQDNHost>
      <FQDNHost>www.google.co.il</FQDNHost>
      <FQDNHost>www.google.im</FQDNHost>
      <FQDNHost>www.google.co.in</FQDNHost>
      <FQDNHost>www.google.iq</FQDNHost>
      <FQDNHost>www.google.is</FQDNHost>
      <FQDNHost>www.google.it</FQDNHost>
      <FQDNHost>www.google.je</FQDNHost>
      <FQDNHost>www.google.com.jm</FQDNHost>
      <FQDNHost>www.google.jo</FQDNHost>
      <FQDNHost>www.google.co.jp</FQDNHost>
      <FQDNHost>www.google.co.ke</FQDNHost>
      <FQDNHost>www.google.com.kh</FQDNHost>
      <FQDNHost>www.google.ki</FQDNHost>
      <FQDNHost>www.google.kg</FQDNHost>
      <FQDNHost>www.google.co.kr</FQDNHost>
      <FQDNHost>www.google.com.kw</FQDNHost>
      <FQDNHost>www.google.kz</FQDNHost>
      <FQDNHost>www.google.la</FQDNHost>
      <FQDNHost>www.google.com.lb</FQDNHost>
      <FQDNHost>www.google.li</FQDNHost>
      <FQDNHost>www.google.lk</FQDNHost>
      <FQDNHost>www.google.co.ls</FQDNHost>
      <FQDNHost>www.google.lt</FQDNHost>
      <FQDNHost>www.google.lu</FQDNHost>
      <FQDNHost>www.google.lv</FQDNHost>
      <FQDNHost>www.google.com.ly</FQDNHost>
      <FQDNHost>www.google.co.ma</FQDNHost>
      <FQDNHost>www.google.md</FQDNHost>
      <FQDNHost>www.google.me</FQDNHost>
      <FQDNHost>www.google.mg</FQDNHost>
      <FQDNHost>www.google.mk</FQDNHost>
      <FQDNHost>www.google.ml</FQDNHost>
      <FQDNHost>www.google.com.mm</FQDNHost>
      <FQDNHost>www.google.mn</FQDNHost>
      <FQDNHost>www.google.ms</FQDNHost>
      <FQDNHost>www.google.com.mt</FQDNHost>
      <FQDNHost>www.google.mu</FQDNHost>
      <FQDNHost>www.google.mv</FQDNHost>
      <FQDNHost>www.google.mw</FQDNHost>
      <FQDNHost>www.google.com.mx</FQDNHost>
      <FQDNHost>www.google.com.my</FQDNHost>
      <FQDNHost>www.google.co.mz</FQDNHost>
      <FQDNHost>www.google.com.na</FQDNHost>
      <FQDNHost>www.google.com.nf</FQDNHost>
      <FQDNHost>www.google.com.ng</FQDNHost>
      <FQDNHost>www.google.com.ni</FQDNHost>
      <FQDNHost>www.google.ne</FQDNHost>
      <FQDNHost>www.google.nl</FQDNHost>
      <FQDNHost>www.google.no</FQDNHost>
      <FQDNHost>www.google.com.np</FQDNHost>
      <FQDNHost>www.google.nr</FQDNHost>
      <FQDNHost>www.google.nu</FQDNHost>
      <FQDNHost>www.google.co.nz</FQDNHost>
      <FQDNHost>www.google.com.om</FQDNHost>
      <FQDNHost>www.google.com.pa</FQDNHost>
      <FQDNHost>www.google.com.pe</FQDNHost>
      <FQDNHost>www.google.com.pg</FQDNHost>
      <FQDNHost>www.google.com.ph</FQDNHost>
      <FQDNHost>www.google.com.pk</FQDNHost>
      <FQDNHost>www.google.pl</FQDNHost>
      <FQDNHost>www.google.pn</FQDNHost>
      <FQDNHost>www.google.com.pr</FQDNHost>
      <FQDNHost>www.google.ps</FQDNHost>
      <FQDNHost>www.google.pt</FQDNHost>
      <FQDNHost>www.google.com.py</FQDNHost>
      <FQDNHost>www.google.com.qa</FQDNHost>
      <FQDNHost>www.google.ro</FQDNHost>
      <FQDNHost>www.google.ru</FQDNHost>
      <FQDNHost>www.google.rw</FQDNHost>
      <FQDNHost>www.google.com.sa</FQDNHost>
      <FQDNHost>www.google.com.sb</FQDNHost>
      <FQDNHost>www.google.sc</FQDNHost>
      <FQDNHost>www.google.se</FQDNHost>
      <FQDNHost>www.google.com.sg</FQDNHost>
      <FQDNHost>www.google.sh</FQDNHost>
      <FQDNHost>www.google.si</FQDNHost>
      <FQDNHost>www.google.sk</FQDNHost>
      <FQDNHost>www.google.com.sl</FQDNHost>
      <FQDNHost>www.google.sn</FQDNHost>
      <FQDNHost>www.google.so</FQDNHost>
      <FQDNHost>www.google.sm</FQDNHost>
      <FQDNHost>www.google.sr</FQDNHost>
      <FQDNHost>www.google.st</FQDNHost>
      <FQDNHost>www.google.com.sv</FQDNHost>
      <FQDNHost>www.google.td</FQDNHost>
      <FQDNHost>www.google.tg</FQDNHost>
      <FQDNHost>www.google.co.th</FQDNHost>
      <FQDNHost>www.google.com.tj</FQDNHost>
      <FQDNHost>www.google.tk</FQDNHost>
      <FQDNHost>www.google.tl</FQDNHost>
      <FQDNHost>www.google.tm</FQDNHost>
      <FQDNHost>www.google.tn</FQDNHost>
      <FQDNHost>www.google.to</FQDNHost>
      <FQDNHost>www.google.com.tr</FQDNHost>
      <FQDNHost>www.google.tt</FQDNHost>
      <FQDNHost>www.google.com.tw</FQDNHost>
      <FQDNHost>www.google.co.tz</FQDNHost>
      <FQDNHost>www.google.com.ua</FQDNHost>
      <FQDNHost>www.google.co.ug</FQDNHost>
      <FQDNHost>www.google.co.uk</FQDNHost>
      <FQDNHost>www.google.com.uy</FQDNHost>
      <FQDNHost>www.google.co.uz</FQDNHost>
      <FQDNHost>www.google.com.vc</FQDNHost>
      <FQDNHost>www.google.co.ve</FQDNHost>
      <FQDNHost>www.google.vg</FQDNHost>
      <FQDNHost>www.google.co.vi</FQDNHost>
      <FQDNHost>www.google.com.vn</FQDNHost>
      <FQDNHost>www.google.vu</FQDNHost>
      <FQDNHost>www.google.ws</FQDNHost>
      <FQDNHost>www.google.rs</FQDNHost>
      <FQDNHost>www.google.co.za</FQDNHost>
      <FQDNHost>www.google.co.zm</FQDNHost>
      <FQDNHost>www.google.co.zw</FQDNHost>
      <FQDNHost>www.google.cat</FQDNHost>
      <FQDNHost>search.yahoo.com</FQDNHost>
      <FQDNHost>*.search.yahoo.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>YouTube restrictions enforcement</Name>
    <Description>YouTube restrictions enforcement requires the web proxy. Use th is FQDN group in a firewall rule to ensure that all affected traffic is handled by the proxy.</Description>
    <FQDNHostList>
      <FQDNHost>www.youtube.com</FQDNHost>
      <FQDNHost>m.youtube.com</FQDNHost>
      <FQDNHost>youtube.googleapis.com</FQDNHost>
      <FQDNHost>youtubei.googleapis.com</FQDNHost>
      <FQDNHost>www.youtube-nocookie.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Google app enforcement</Name>
    <Description>Google app domain enforcement requires use of the web proxy. Use this FQDN group in a firewall rule to ensure that all affected traffic is handled by the proxy.</Description>
    <FQDNHostList>
      <FQDNHost>google.com</FQDNHost>
      <FQDNHost>*.google.com</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Stackhub_Identity</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>MS_Identity_stackhub1</FQDNHost>
      <FQDNHost>MS_Identity_stackhub2</FQDNHost>
      <FQDNHost>MS_Identity_stackhub3</FQDNHost>
      <FQDNHost>MS_Identity_stackhub4</FQDNHost>
      <FQDNHost>MS_Identity_stackhub5</FQDNHost>
      <FQDNHost>MS_Identity_stackhub6</FQDNHost>
      <FQDNHost>MS_Identity_stackhub7</FQDNHost>
      <FQDNHost>MS_Identity_stackhub8</FQDNHost>
      <FQDNHost>MS_Identity_stackhub9</FQDNHost>
      <FQDNHost>MS_Identity_Azure_Government1</FQDNHost>
      <FQDNHost>MS_Identity_Azure_Government2</FQDNHost>
      <FQDNHost>MS_Identity_Azure China 21Vianet1</FQDNHost>
      <FQDNHost>MS_Identity_Azure China 21Vianet2</FQDNHost>
      <FQDNHost>MS_Identity_Azure Germany1</FQDNHost>
      <FQDNHost>MS_Identity_Azure Germany2</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Marketplace syndication</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Marketplace_syndication_Azure1</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure2</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure3</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure_Govt1</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure_Govt2</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure China_21Vianet1</FQDNHost>
      <FQDNHost>Marketplace_syndication_Azure China_21Vianet2</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Registration</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Registration_Azure</FQDNHost>
      <FQDNHost>Registration_Azure_Govt</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Usage</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Usage_Azure</FQDNHost>
      <FQDNHost>Usage_Azure_Govt</FQDNHost>
      <FQDNHost>Usage_Azure China 21Vianet</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Windows_Defender</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Windows_Defender_1</FQDNHost>
      <FQDNHost>Windows_Defender_2</FQDNHost>
      <FQDNHost>Windows_Defender_3</FQDNHost>
      <FQDNHost>Windows_Defender_4</FQDNHost>
      <FQDNHost>Windows_Defender_5</FQDNHost>
      <FQDNHost>Windows_Defender_6</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
  <FQDNHostGroup transactionid="">
    <Name>Diagnostic Log Collection</Name>
    <Description/>
    <FQDNHostList>
      <FQDNHost>Diagnostic Log Collection1</FQDNHost>
      <FQDNHost>Diagnostic Log Collection2</FQDNHost>
      <FQDNHost>Diagnostic Log Collection3</FQDNHost>
    </FQDNHostList>
  </FQDNHostGroup>
</Configuration>




Horizontal Line, Disclaimer
[edited by: emmosophos at 10:50 PM (GMT -8) on 14 Nov 2023]