How to handle Office 365 network traffic seperation?

%3CLINGO-SUB%20id%3D%22lingo-sub-882233%22%20slang%3D%22en-US%22%3EHow%20to%20handle%20Office%20365%20network%20traffic%20seperation%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-882233%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20currently%20moving%20our%20roughly%20700%20users%20from%20Office%202010%20%26amp%3B%20Exchange%202010%20to%20Office%20365%20and%20Exchange%20Online%20and%20so%20far%20everything%20works%20quite%20well.%20Regarding%20handling%20of%20Office%20365%20network%20traffic%20we%20have%20read%20the%20Office%20365%20Network%20Principles%20from%20Microsoft%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-network-connectivity-principles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-network-connectivity-principles%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsually%20all%20our%20clients%20can%20only%20access%20the%20Internet%20using%20a%20proxy%20server%20that%20is%20explicitely%20configured%20in%20the%20OS%20by%20GPO.%20Traffic%20that%20not%20traverses%20the%20proxy%20server%20is%20usually%20blocked%20and%20needs%20to%20be%20%3CFONT%3Eexplicitly%3C%2FFONT%3E%20allowed%20on%20our%20outbound%20router.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFollowing%20the%20guidlines%20to%20seperate%20traffic%20destined%20for%20Office%20365%20we%20have%20deployed%20GPO%20settings%20that%20excludes%20traffic%20for%20all%20Office%20365%20destinations%20from%20the%20%22Optimized%20Category%22%20(i.e.%26nbsp%3B%3CFONT%3E*.sharepoint.com%3B%20outlook.office365.com%20etc.%3C%2FFONT%3E)%20from%20the%20proxy%20so%20that%20traffic%20for%20those%20targets%20is%20routed%20directly.%20Traffic%20to%20those%20endpoints%20is%20allowed%20as%20per%26nbsp%3B%3CFONT%3EOffice%20365%20URLs%20and%20IP%20address%20ranges%3A%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20a%20script%20that%20reads%20the%20corresponding%20IP%20addresses%20from%20the%20%3CFONT%3EOffice%20365%20IP%20Address%20and%20URL%20web%20service%20to%20update%20the%20firewall%20rules%20on%20the%20outbound%20router.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3ESo%20basically%20the%20concept%20is%3A%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E1.%20Traffic%20to%20Office%20365%20endpoints%20from%20the%20Optimize%20category%20is%20routed%20directly%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3E2.%20All%20other%20http%2Fhttps%20traffic%20is%20traversing%20the%20explicitly%20configured%20proxy%20server%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EWe%20now%20have%20experienced%20connectivity%20issues%20with%20Outlook%20and%20found%20that%20some%20of%20the%20IP%20addresses%20that%20Outlook%20is%20connecting%20to%20are%20not%20listed%20in%20the%26nbsp%3B%3CFONT%3EOffice%20365%20URLs%20and%20IP%20address%20ranges%3C%2FFONT%3E.%20For%20example%2C%20when%20resolving%26nbsp%3Boutlook.office365.com%20the%20DNS%20returns%20the%20following%20addresses%20that%20are%20not%20included%20in%20the%20list%20but%20Outlook%20is%20connecting%20to%3A%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E2603%3A1026%3A100%3A16%3A%3A2%3CBR%20%2F%3E2603%3A1026%3A101%3A14%3A%3A2%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI%20have%20posted%20this%20along%20with%20a%20more%20detailed%20description%20on%20the%20Github%20site%20as%20feedback%20for%20the%26nbsp%3B%3CFONT%3E%3CFONT%3EOffice%20365%20URLs%20and%20IP%20address%20ranges%3C%2FFONT%3E%3C%2FFONT%3E%20website%3A%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%26nbsp%3B%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2FOfficeDocs-Enterprise%2Fissues%2F543%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2FOfficeDocs-Enterprise%2Fissues%2F543%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EOthers%20have%20posted%20about%20similar%20issues%20as%20well.%20As%20we%20obviously%20cannot%20rely%20on%20the%26nbsp%3B%3CFONT%3E%3CFONT%3EOffice%20365%20URLs%20and%20IP%20address%20ranges%20(since%20not%20all%20addresses%20are%20included)%20we%20have%20now%20allowed%20all%20outbound%20https%20traffic%20on%20our%20outbound%20router.%20The%20Outlook%20connectivity%20issues%20are%20solved%20now.%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CFONT%3E%3CFONT%3EMy%20question%20is%3A%20How%20do%20you%20handle%20the%20traffic%20separation%20recommended%20for%20Office%20365%3F%20One%20could%20argue%20that%20allowing%20direct%20outbound%20https%20access%20to%20the%20whole%20Internet%20could%20pose%20a%20security%20risk%20if%20no%20filtering%20rules%20are%20applied%20to%20this%20traffic%20(which%20is%20okay%20for%20Office%20365%20traffic%20but%20might%20be%20a%20problem%20if%20a%20user%20removes%20the%20GPO%20configured%20proxy%20and%20uses%20the%20direct%20outbound%20access%20for%20other%20traffic%20as%20well).%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20personal%20opinion%20is%20that%20filtering%20traffic%20on%20the%20application%20layer%20actually%20never%20is%20quite%20a%20good%20idea%20since%20it%20can%20break%20things%20(like%20TLS)%20that%20should%20not%20be%20broken.%20And%20one%20could%20also%20argue%20that%20in%20a%20time%20where%20the%20Internet%20is%20becoming%20increasingly%20dynamic%20(CDNs%2C%20IPv6%2C%20more%20and%20more%20cloud%20services)%20AND%20network%20traffic%20is%20becoming%20increasingly%20encrypted%2C%20security%20needs%20to%20be%20shifted%20to%20other%20layers%20like%20for%20example%20the%20end%20users%20device%20and%20the%20application%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20on%20this%20or%20examples%20about%20you%20handle%20this%20are%20highly%20appreciated!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CFONT%3E%3CFONT%3EBest%20Regards%3CBR%20%2F%3EMichael%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-882233%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%20Network%20Connectivity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Contributor

Dear all,

 

we are currently moving our roughly 700 users from Office 2010 & Exchange 2010 to Office 365 and Exchange Online and so far everything works quite well. Regarding handling of Office 365 network traffic we have read the Office 365 Network Principles from Microsoft:

 

  https://docs.microsoft.com/en-us/office365/enterprise/office-365-network-connectivity-principles

 

Usually all our clients can only access the Internet using a proxy server that is explicitely configured in the OS by GPO. Traffic that not traverses the proxy server is usually blocked and needs to be explicitly allowed on our outbound router.

 

Following the guidlines to seperate traffic destined for Office 365 we have deployed GPO settings that excludes traffic for all Office 365 destinations from the "Optimized Category" (i.e. *.sharepoint.com; outlook.office365.com etc.) from the proxy so that traffic for those targets is routed directly. Traffic to those endpoints is allowed as per Office 365 URLs and IP address ranges:

 

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

 

We are using a script that reads the corresponding IP addresses from the Office 365 IP Address and URL web service to update the firewall rules on the outbound router.

 

So basically the concept is:

 

1. Traffic to Office 365 endpoints from the Optimize category is routed directly

2. All other http/https traffic is traversing the explicitly configured proxy server

 

We now have experienced connectivity issues with Outlook and found that some of the IP addresses that Outlook is connecting to are not listed in the Office 365 URLs and IP address ranges. For example, when resolving outlook.office365.com the DNS returns the following addresses that are not included in the list but Outlook is connecting to:

 

2603:1026:100:16::2
2603:1026:101:14::2

 

I have posted this along with a more detailed description on the Github site as feedback for the Office 365 URLs and IP address ranges website:

 

  https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/issues/543

 

Others have posted about similar issues as well. As we obviously cannot rely on the Office 365 URLs and IP address ranges (since not all addresses are included) we have now allowed all outbound https traffic on our outbound router. The Outlook connectivity issues are solved now.

 

My question is: How do you handle the traffic separation recommended for Office 365? One could argue that allowing direct outbound https access to the whole Internet could pose a security risk if no filtering rules are applied to this traffic (which is okay for Office 365 traffic but might be a problem if a user removes the GPO configured proxy and uses the direct outbound access for other traffic as well).

 

My personal opinion is that filtering traffic on the application layer actually never is quite a good idea since it can break things (like TLS) that should not be broken. And one could also argue that in a time where the Internet is becoming increasingly dynamic (CDNs, IPv6, more and more cloud services) AND network traffic is becoming increasingly encrypted, security needs to be shifted to other layers like for example the end users device and the application itself.

 

Any thoughts on this or examples about you handle this are highly appreciated!

 

Best Regards
Michael

 

0 Replies