Hybrid Azure join behind a Sophos SG UTM

I'm trying to Hybrid Azure join our devices on our corporate network.

We use a UTM for firewall and Web Filtering.  Normally web traffic hits the web filter when using a browser(PAC file). The required URLS for Azure Hybrid join are allowed through this proxy server. The problem is that the process of joining the device(Proxy direct) is not aware of these proxy settings so the traffic is never directed to the web filter. Instead it goes to the firewall. The firewall explicitly blocks this traffic. We need to know the IP address ranges of the URLs required for this operation so we can allow this traffic to pass through the Firewall. Microsoft can only send me to their 365 URLs and IP addresses but it's a very long list and the blocked IP addresses don't seem to be listed.

Has anyone been able to find out the IP address ranges which are required for this operation or has anyone been able to get this working a different way?

We have been able to get this to work by manually setting the proxy server on a client but this then causes issues with Teams and SCCM.

​The URLS  login.microsoftonline.comand device.login.microsoftonline.com
Thanks in advance.
  • Hi Dean and welcome to the UTM Community!

    Please show a representative line or two from the firewall log file (not from the Live Log).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thanks for your welcome.

    I can't get you the information you requested at the moment as I can't easily identify the traffic from previous attempts and I lose connection to the UTM when I try to bring up the whole log for today. I'm not sure why the log is relevant to be honest. I know that 443 traffic is being blocked to Microsoft addresses. Here is the live log results, all I can get right now.

    10:12:41 Default DROP TCP  
    10.xx.xx.xx : 61369
    13.107.9.156 : 443
     
    [SYN] len=52 ttl=126 tos=0x00 srcmac=88:75:56:8d:8f:c3 dstmac=00:1a:8c:f0:7a:c8
  • I expected a default drop, Dean.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the full log line corresponding to the one above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I know it's a default drop. I'm trying to find out how best to allow this traffic considering I don't know the IP address ranges for this function.

  • Again, the corresponding full log line tells us which kind of default drop.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Okay -

    2021:02:01-10:00:17 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10." dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51070" dstport="80" tcpflags="SYN"
    2021:02:01-10:00:18 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51070" dstport="80" tcpflags="SYN"
    2021:02:01-10:00:20 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51070" dstport="80" tcpflags="SYN"
    2021:02:01-10:00:24 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51070" dstport="80" tcpflags="SYN"
    2021:02:01-10:00:32 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51070" dstport="80" tcpflags="SYN"
    2021:02:01-10:00:38 lyn-utm-corp-1 ulogd[5976]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="30" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="40.126.31.135" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51070" dstport="80" tcpflags="SYN"
    2021:02:01-10:00:38 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51075" dstport="443" tcpflags="SYN"
    2021:02:01-10:00:39 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51075" dstport="443" tcpflags="SYN"
    2021:02:01-10:00:42 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51075" dstport="443" tcpflags="SYN"
    2021:02:01-10:00:46 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51075" dstport="443" tcpflags="SYN"
    2021:02:01-10:00:54 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="20.190.159.136" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51075" dstport="443" tcpflags="SYN"
    2021:02:01-10:00:59 lyn-utm-corp-1 ulogd[5976]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="30" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="40.126.31.135" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51075" dstport="443" tcpflags="SYN"
    2021:02:01-10:01:00 lyn-utm-corp-1 ulogd[5976]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth8" outitf="eth1" dstmac="00:1a:8c:f0:7a:c8" srcip="10" dstip="13.107.6.156" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="51106" dstport="443" tcpflags="SYN"
  • Well, Dean, I appreciate the need for security, but it's not clear that all those lines have the same source device/IP.  If so, then it's confusing that firewall rule 30 applies sometimes and not at others.

    "60002" means the drop is out of the FORWARD chain, so the easy answer is to make a rule to Allow "Web Surfing" from that server to "Internet IPv4."

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • They are all from the same source. That rule allows access to certain IP addresses.

    That is far too broad a rule. I am trying to find out if anyone in the community has been able to find IP ranges required for a hybrid join.

  • If you Google site:community.sophos.com/products/utm-firewall Azure join, you'll see that this hasn't been discussed here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It might not have been discussed but I was hoping someone might be able to help once they saw it.

    You would think someone could help with this. I wonder how other companies do it.