This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Office365 deployment best practice

We are in the process of migrating to Office365. As part of the process, the networked is evaluated and the first recommendation by Microsoft is to remove any proxies from the path between the user and Office365. The problem with this is that MS has a ton of IP Address ranges and URLs.

The primary guidelines are:

  1. Use a proxy PAC files to send all the MS URLs direct.
  2. Create policies on the firewall to allow all IP ranges and URLs

https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a?ui=en-US&rs=en-US&ad=US

Really good overview of their philosophy from Ignite:

https://www.youtube.com/watch?v=19a8s90HboQ&feature=youtu.be

Here is the entire IP/URL List in XML format: https://support.content.office.net/en-us/static/O365IPAddresses.xml

The problem I see is managing the list of IP Addresses and URLs. The list is long and changes somewhat frequently, so it's not just a matter of doing it once, you have to maintain it. As far as I know, there is no Network object in the UTM that let's you drop a list of subnets. That wouldn't be bad. But it appears that each subnet has to be created as a network definition and them maybe added to a group. But some places in Sophos do not accept groups, so then each subnet would have to be dragged one at a time in the interface. Again tedious to implement and more tedious to maintain.

I could use the API, but that would have to be run against each UTM. This will take a bit of work to implement, but may be the best solution long term.

Has anyone discovered an easy solution to keeping this type of thing up to date?



This thread was automatically locked due to age.
Parents
  • Thanks for all the scripts and snippets shared in this thread! Unfortunately these require quite a lot of manual changes in the PowerShell scripts and rely on local files to keep track of changes. In order to automate the task of updating the network definitions and web protection exception I created a PowerShell module which is easy to install and execute.

    The module SophosEndpoints - https://www.powershellgallery.com/packages/SophosEndpoints is hosted on PowerShell Gallery, so if you have PowerShell 5, or the PowerShellGet module, just open an elevated PowerShell and run the following cmdlet to install the module:

    Install-Module SophosEndpoints

    To create or update the networks and exception in UTM run the following cmdlet in PowerShell:

    Set-EndpointsInUtm -UtmApiUrl "sophos.testlab.live:4444/api" -UtmApiKey "kjAHGansdzyPdsYhmILKgOWsh" -TenantName testlab -LogFilePath "C:\Set-EndpointsInUtm.log"

    You have to adapt the parameters according to your environment.

    You can check out the source code on GitHub - https://github.com/testlablive/SophosEndpoints (subfolder SophosEndpoints).

    If you want to automate this like I did, you can follow my instructions on my blog https://www.testlab.live/auto-update-sophos-utm-with-microsoft-endpoints

  • Hi All,

     

    When I try the powershell module or any of the scripts I get a 401 error.

     

    I have created a new user, given it a static ip and created the API key.

    I am able to log in and query using the web api interface.

    I have tried with the API key from the Curl command.

     

    In the error log I get [ConfdHelper] withConfdConnection Setting StatusUnauthorized: No authentication header found

    In the script windows I get Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

     

    Not sure what else to try.

    Thanks.

     

Reply
  • Hi All,

     

    When I try the powershell module or any of the scripts I get a 401 error.

     

    I have created a new user, given it a static ip and created the API key.

    I am able to log in and query using the web api interface.

    I have tried with the API key from the Curl command.

     

    In the error log I get [ConfdHelper] withConfdConnection Setting StatusUnauthorized: No authentication header found

    In the script windows I get Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

     

    Not sure what else to try.

    Thanks.

     

Children
No Data