This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Office365 deployment best practice

We are in the process of migrating to Office365. As part of the process, the networked is evaluated and the first recommendation by Microsoft is to remove any proxies from the path between the user and Office365. The problem with this is that MS has a ton of IP Address ranges and URLs.

The primary guidelines are:

  1. Use a proxy PAC files to send all the MS URLs direct.
  2. Create policies on the firewall to allow all IP ranges and URLs

https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a?ui=en-US&rs=en-US&ad=US

Really good overview of their philosophy from Ignite:

https://www.youtube.com/watch?v=19a8s90HboQ&feature=youtu.be

Here is the entire IP/URL List in XML format: https://support.content.office.net/en-us/static/O365IPAddresses.xml

The problem I see is managing the list of IP Addresses and URLs. The list is long and changes somewhat frequently, so it's not just a matter of doing it once, you have to maintain it. As far as I know, there is no Network object in the UTM that let's you drop a list of subnets. That wouldn't be bad. But it appears that each subnet has to be created as a network definition and them maybe added to a group. But some places in Sophos do not accept groups, so then each subnet would have to be dragged one at a time in the interface. Again tedious to implement and more tedious to maintain.

I could use the API, but that would have to be run against each UTM. This will take a bit of work to implement, but may be the best solution long term.

Has anyone discovered an easy solution to keeping this type of thing up to date?



This thread was automatically locked due to age.
Parents Reply Children
  • Hallo Jonathan and welcome to the UTM Community!

    Great work - we all hope you will continue to participate!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This is really great. Thanks a lot!! We are going to implement this the next days.

    I was wondering if there is also a possibilty to route/bind the office365 traffic to a special wan interface? We have to lines, one symmetric fibre for vpn and business (critical) applications and one asymmetric cable line für internet surfing. Any ideas? or should i just put all the created opjects in a multipath rule?

    Thx a lot!

  • Really nice work Jonathan! It looks very, very good.

    One question from me, I installed the PS module and now I want to "simulate" what Endpoints and Rules and so on will be created in the Firewall.

    I do not have a UTM for testing and I do not want to destroy my productive one :-)
    Only getting the log files without the REAL "Rest API" stuff? Is it possible?

    Thank you very much in advance!

    Timm

  • Hello Timm,

    you could setup a virtual machine with UTM software for testing.

    Have a look here: https://www.sophos.com/en-us/support/utm-downloads.aspx

    You even get a 30 days evaluation/demo license for that.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi All,

     

    When I try the powershell module or any of the scripts I get a 401 error.

     

    I have created a new user, given it a static ip and created the API key.

    I am able to log in and query using the web api interface.

    I have tried with the API key from the Curl command.

     

    In the error log I get [ConfdHelper] withConfdConnection Setting StatusUnauthorized: No authentication header found

    In the script windows I get Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

     

    Not sure what else to try.

    Thanks.