Enable only traffic to Microsoft Teams and Office 365
Hello!
I think I am falling back on the same topic with this new requirement, trying to allow/block traffic to certain domains using FQDN objects.
I have some establishments that need wan connectivity to Microsoft Teams (and more office 365 services like sharepoint). They are behind a SOHO model.
Can I guarantee this type of traffic (office 365 udp-tcp ports) without having to open it to all destinations, without CFS?
Or will it be essential to have the content filtering service to be able to use, for example, the URI LISTS OBJECTS?
Those pcs can’t have open traffic….I have to open only this kind of traffic, and I need to confirm if the only way to do it is updating my sonicwall devices (soho), to use CFS.
What do you recommend for this configuration?
By the way, to provide more data, those establishments are connected with site to site vpn against our central NSA in star configuration (Site to Site, aggressive mode), however their wan traffic is on their wan interface.
By modifying the configuration of our VPNs, could we configure that the WAN traffic of the remote sites will go out through our NSA using our central CFS Policies + CFS Profile…?
Hope that was clear enough, sorry for my English.
Answers
"Can I guarantee this type of traffic (office 365 udp-tcp ports) without having to open it to all destinations, without CFS?" Short answer: yes. This is the basis of all modern business class firewalls.
"Or will it be essential to have the content filtering service to be able to use, for example, the URI LISTS OBJECTS?" If you are trying to do content filtering you'll need to implement DPI-SSL otherwise you'll be missing a large amount of encrypted traffic.
"By modifying the configuration of our VPNs, could we configure that the WAN traffic of the remote sites will go out through our NSA using our central CFS Policies + CFS Profile…?" This is possible, though I haven't personally done it. In VPN tunnel configurations there is the option 'Use this VPN Tunnel as default route for all Internet traffic'.
You may also want to look at this article.
Hi @SWUSERVPN,
Yes, you can allow/block certain domains using FQDN objects. In simple terms, this can be done using Access Rules.
We can get the WAN traffic of the remote sites to go out through the NSA using the central CFS Policies + CFS Profiles. Route All Site to Site VPN has to be configured on both the central and remote site SonicWall appliances.
Please refer the KB article below for the route all over a site to site VPN.
Hope this helps. Please get back for any questions/concerns.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks for your answers TKWITS and Saravanan ,
I am dealing with FQDN(s) we can see on this Microsoft article:
Besides this article, we can run a powershell script to get updated data (urls for our FQDN(s) Objects) in a txt file:
Generated File:
****************************************************************************************************************
Office 365 IP and UL Web Service data
Worldwide instance
Version: 2021062800
IPv4 Firewall IP Address Ranges
104.146.128.0/17,104.47.0.0/17,13.107.128.0/22,13.107.136.0/22,13.107.140.6/32,13.107.18.10/31,13.107.18.15/32,13.107.6.152/31,13.107.6.171/32,13.107.64.0/18,131.253.33.215/32,132.245.0.0/16,150.171.32.0/22,150.171.40.0/22,20.190.128.0/18,204.79.197.215/32,23.103.160.0/20,40.104.0.0/15,40.107.0.0/16,40.108.128.0/17,40.126.0.0/18,40.92.0.0/15,40.96.0.0/13,52.100.0.0/14,52.104.0.0/14,52.108.0.0/14,52.112.0.0/14,52.120.0.0/14,52.238.106.116/32,52.238.119.141/32,52.238.78.88/32,52.244.160.207/32,52.244.203.72/32,52.244.207.172/32,52.244.223.198/32,52.244.37.168/32,52.247.150.191/32,52.96.0.0/14
IPv6 Firewall IP Address Ranges
2603:1006::/40,2603:1016::/36,2603:1026::/36,2603:1036::/36,2603:1046::/36,2603:1056::/36,2603:1096::/38,2603:1096:400::/40,2603:1096:600::/40,2603:1096:a00::/39,2603:1096:c00::/40,2603:10a6:200::/40,2603:10a6:400::/40,2603:10a6:600::/40,2603:10a6:800::/40,2603:10d6:200::/40,2620:1ec:4::152/128,2620:1ec:4::153/128,2620:1ec:8f0::/46,2620:1ec:8f8::/46,2620:1ec:900::/46,2620:1ec:908::/46,2620:1ec:a92::152/128,2620:1ec:a92::153/128,2620:1ec:c::10/128,2620:1ec:c::11/128,2620:1ec:d::10/128,2620:1ec:d::11/128,2a01:111:f400::/48,2a01:111:f402::/48
URLs for Proxy Server
*.broadcast.skype.com,*.compliance.microsoft.com,*.lync.com,*.mail.protection.outlook.com,*.msftidentity.com,*.msidentity.com,*.officeapps.live.com,*.online.office.com,*.outlook.office.com,*.portal.cloudappsecurity.com,*.protection.office.com,*.protection.outlook.com,*.security.microsoft.com,*.sharepoint.com,*.skypeforbusiness.com,*.teams.microsoft.com,account.activedirectory.windowsazure.com,account.office.net,accounts.accesscontrol.windows.net,adminwebservice.microsoftonline.com,api.passwordreset.microsoftonline.com,autologon.microsoftazuread-sso.com,becws.microsoftonline.com,broadcast.skype.com,clientconfig.microsoftonline-p.net,companymanager.microsoftonline.com,compliance.microsoft.com,device.login.microsoftonline.com,graph.microsoft.com,graph.windows.net,login.microsoft.com,login.microsoftonline.com,login.microsoftonline-p.com,login.windows.net,
logincert.microsoftonline.com,loginex.microsoftonline.com,login-us.microsoftonline.com,nexus.microsoftonline-p.com,office.live.com,
outlook.office.com,outlook.office365.com,passwordreset.microsoftonline.com,protection.office.com,provisioningapi.microsoftonline.com,security.microsoft.com,smtp.office365.com,teams.microsoft.com
****************************************************************************************************************
Trying to use a simple access rule with an Address Group containing all the FQDN(s) as Destination, allowing the udp and tcp ports that Microsoft requiers. But doesn't work. I am missing something, related with FQDN objects.
If I use another rule that enables same Service Group to Destination=Any, everything is fine, and Teams and Outlook for example, connect ok.
Checked log for help, at Debug level, but I don`t see anything usefull filtering by host lan ip.
Any help is welcome.
Hi @SWUSERVPN,
If its not working when the destination is specific, then we are missing some URL's or IP addresses that we have to check. With the specific destination set access rule in place, lets perform a packet capture and see if firewall drops any packets. Get the destination IP address on those packets and find out the domain name. Allow the domain name or IP address in the access rule. This is something that we could do next. If there are no drops on the SonicWall, then we may need to check with Microsoft to be sure with all URL's and IP's.
Note: The packet monitor buffer may be filled soon. Please make sure to capture specific microsoft traffics or else setup a FTP server to get the firewall send all captured files to the FTP server for reference.
Hope this helps.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks again Saravanan !
I realised that I was missing some rules, and enabling outgoing traffic to the fqdn(s) Group is doing the job now 👌
Yes, your are right about the Pakcet Monitor, powerful and useful tool.
Once I have this test working on a soho device, is any easy way to export/import an Address Group from one device to another?
I need to export this information to other soho devices 🤨
Thanks for your help.
Unfortunately there is only a full config export, you cannot export individual or groups of Address Objects or Groups using the GUI.
Yes TKWITS , I know the full configuration Export/Import. But the idea was only to import export Address Objects.
There was some way, importing a json file.....SonicOS API?..... I haven't tried it yet, need to read about it. Did you test it?
Thanks.
Hello again.
After testing how to import objects, for example with a simple SSH connection, I think that adding all FQDNs is not the best way to solve Microsoft Office 365... Can I use in some way the App Control Advanced?...BUT not to block....I need to enable certain applications that I see listed in the categories / applications, for a pc or a range.
Could I do it by App Control Advanced?
I use some CFS Policies to block some default categories using a CFS Profile.....Could I do something like that to ALLOW Microsoft categories? I am a bit confused on this topic and would appreciate some light.
Thanks in advance for your help.
This is exactly why DEAG feature exists. Dynamic External Object Groups (found under Objects in the GUI) are here to simplify your task. On some FTP/Web, you may publish the list of IP addresses (or list of FQDN, incl. wildcards like *.office365.com) and use it in the firewall that downloads the list in a one-time or periodic manner.
Btw you may also use DEAG to facilitate black-listing from your web application that does not support invalid logon attempts lock-out by design. If you can handle the invalid logon somehow (search webserver logs for 401 errors, process syslog messages etc.), after reaching the desired threshold you just append the malicious IP in a file that your firewall will read periodically and deny access from the list of IPs from such file.
Cheers, Jan