We are in the process of migrating to Office365. As part of the process, the networked is evaluated and the first recommendation by Microsoft is to remove any proxies from the path between the user and Office365. The problem with this is that MS has a ton of IP Address ranges and URLs.
The primary guidelines are:
Really good overview of their philosophy from Ignite:
Here is the entire IP/URL List in XML format: https://support.content.office.net/en-us/static/O365IPAddresses.xml
The problem I see is managing the list of IP Addresses and URLs. The list is long and changes somewhat frequently, so it's not just a matter of doing it once, you have to maintain it. As far as I know, there is no Network object in the UTM that let's you drop a list of subnets. That wouldn't be bad. But it appears that each subnet has to be created as a network definition and them maybe added to a group. But some places in Sophos do not accept groups, so then each subnet would have to be dragged one at a time in the interface. Again tedious to implement and more tedious to maintain.
I could use the API, but that would have to be run against each UTM. This will take a bit of work to implement, but may be the best solution long term.
Has anyone discovered an easy solution to keeping this type of thing up to date?
Did you try to allow Office365 in Application Control?
Following my logs, it hits alle O365 related access
I will certainly check that out. I do find application control to be very obscure and have had issues trying to make it work correctly and it is not very well documented or at least I have not been able to find good documentation. I will look through your threads to see what you have done. If it is that simple I will be impressed!
Application Control can "allow" applications, but does it reduce the UTM overhead for the traffic? Per Microsoft, for best performance, Office Apps like Skype/Teams/OneDrive/SharePoint/Exchange need direct access to the resource without any inspection, QOS or other rules hindering performance. Office is to be considered a trusted source just like internal servers when connecting to your resources over the internet.
Most of this effort for me has been to maximize performance of Office products.
Application Control has become almost unusable for me on the SG430, it takes minutes to pull up the list and sometimes longer to filter. Plus, it doesn't always have what I need or doesn't work in all instances.
Exact same thought on the application control option for me. Does it impact further or does it reduce inspection overall? I have not been able to find any granular documentation on how it is implemented and whether or not it is updated on a regular basis as part of the signature updates. If it is only updated via firmware updates then those are becoming fewer and farther between of late. It would be great to know this info and would in fact be a good selling point for Sophos UTM devices. There is also a chance it is never or very randomly updated.
I am on an SG320 and it is very sluggish on the management screens too and getting worse with each upgrade. I also have had to do a lot of tweaks to keep my CPU spikes to an acceptable level so there could definitely be an impact from O365 rule sets no matter how they are added/implemented.
My 5 year maintenance/updates agreement is up on my SG320 so I am just in the process of evaluating whether to upgrade to a new Sophos device or should I bail and go with something different. The past decade with Astaro/Sophos has been a bit of a love/hate relationship and mainly around circumstances just like this.
I just tried to add Office with Application Control, and the list came up but when I tried to filter on "Office", it show it had 8 results, but after 10 minutes it still hadn't finished trying to display them. Unusable.
This is what scares me. I get higher rates of CPU usage as is currently. This spike will only last a few minutes and settle down and traffic seems to flow through ok but adding another application control or 600 network definitions could break it.
Guys, in AppCtrl, an "Allow" rule should be considered as an "Exception" for a subsequent "Block" rule. It's really only used to block applications. I don't have many active AppCtrl rules at any client site.
Cheers - Bob
Used the powershell module and it worked like a charm! Thanks a lot for this great work! i am really wondering why there are not more posts in this thread.a last question:we use transparent proxy, should i put the created group of o365 Networks into the Transparent Mode Skiplist as well? or is the added exception rule already enough?thx a lotPeter