I'm trying to Hybrid Azure join our devices on our corporate network.
We use a UTM for firewall and Web Filtering. Normally web traffic hits the web filter when using a browser(PAC file). The required URLS for Azure Hybrid join are allowed through this proxy server. The problem is that the process of joining the device(Proxy direct) is not aware of these proxy settings so the traffic is never directed to the web filter. Instead it goes to the firewall. The firewall explicitly blocks this traffic. We need to know the IP address ranges of the URLs required for this operation so we can allow this traffic to pass through the Firewall. Microsoft can only send me to their 365 URLs and IP addresses but it's a very long list and the blocked IP addresses don't seem to be listed.
Has anyone been able to find out the IP address ranges which are required for this operation or has anyone been able to get this working a different way?
We have been able to get this to work by manually setting the proxy server on a client but this then causes issues with Teams and SCCM.
Hi Dean and welcome to the UTM Community!
Please show a representative line or two from the firewall log file (not from the Live Log).
Cheers - Bob
Hi Bob,
Thanks for your welcome.
I can't get you the information you requested at the moment as I can't easily identify the traffic from previous attempts and I lose connection to the UTM when I try to bring up the whole log for today. I'm not sure why the log is relevant to be honest. I know that 443 traffic is being blocked to Microsoft addresses. Here is the live log results, all I can get right now.
I expected a default drop, Dean. Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file. Please post the full log line corresponding to the one above.
I know it's a default drop. I'm trying to find out how best to allow this traffic considering I don't know the IP address ranges for this function.
Again, the corresponding full log line tells us which kind of default drop.
Okay -
Well, Dean, I appreciate the need for security, but it's not clear that all those lines have the same source device/IP. If so, then it's confusing that firewall rule 30 applies sometimes and not at others.
"60002" means the drop is out of the FORWARD chain, so the easy answer is to make a rule to Allow "Web Surfing" from that server to "Internet IPv4."
They are all from the same source. That rule allows access to certain IP addresses.
That is far too broad a rule. I am trying to find out if anyone in the community has been able to find IP ranges required for a hybrid join.
If you Google site:community.sophos.com/products/utm-firewall Azure join, you'll see that this hasn't been discussed here.
It might not have been discussed but I was hoping someone might be able to help once they saw it.
You would think someone could help with this. I wonder how other companies do it.