We are in the process of migrating to Office365. As part of the process, the networked is evaluated and the first recommendation by Microsoft is to remove any proxies from the path between the user and Office365. The problem with this is that MS has a ton of IP Address ranges and URLs.
The primary guidelines are:
Really good overview of their philosophy from Ignite:
Here is the entire IP/URL List in XML format: https://support.content.office.net/en-us/static/O365IPAddresses.xml
The problem I see is managing the list of IP Addresses and URLs. The list is long and changes somewhat frequently, so it's not just a matter of doing it once, you have to maintain it. As far as I know, there is no Network object in the UTM that let's you drop a list of subnets. That wouldn't be bad. But it appears that each subnet has to be created as a network definition and them maybe added to a group. But some places in Sophos do not accept groups, so then each subnet would have to be dragged one at a time in the interface. Again tedious to implement and more tedious to maintain.
I could use the API, but that would have to be run against each UTM. This will take a bit of work to implement, but may be the best solution long term.
Has anyone discovered an easy solution to keeping this type of thing up to date?
Next question, after downloading the MS IP addresses, the total count is 659 subnets. Can the Sophos handle that many network objects? Sometimes it struggles enumerating network definitions and I only have 450 now.
Done. Updated all three UTM devices using PowerShell and the Sophos API. I am relatively new to PowerShell, so this was quite an exercise, I hope this might help others map the Sophos API examples to PowerShell commands.
I am calling the script above with this script. This script maintains the list of Sophos devices and they API Keys. Loops through the list calling other specified script. I plan to create a few other scripts to update other components and this way the API keys are maintained in a single script I can secure a bit more than usual.
Thanks, Tim - this thread is a great contribution! I'll prioritize this at the top of this forum with "forever" selected.
Cheers - Bob
I am about to figure this all out for my ASG320 UTM9 setup and our move to O365. I know very little about PS and using Sophos RestfulAPI but I am eager to try this. I am using transparent proxy and plan to add the resulting group(s) to the transparent destination skip list. I think this will do most of what is required. FYI, 80 and 443 are open outbound for everyone.
I believe the only other things that need to be done is to open the other required ports for SfB and try to limit those ports just to the group created by your scripts.
Does this make sense and is that what you ultimately did?