Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3431
Views
5
Helpful
8
Replies

WSA S170 unable to access office365

Erland Medrano
Level 1
Level 1

‎10-09-2015 01:21 AM

Hi,

 

We would like to know what is the cause of unable to connect to office365 even if we can ping the outlook.office365.com in ironport.

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Handy Putra
Cisco Employee
Cisco Employee

‎10-24-2015 07:56 PM

Hi Erland,

Have you checked the accesslogs from the WSA when trying to connect to office365 to see anything that been blocked by policy?

 

Also in the case of Office365, normally recommend to bypass authentication from WSA for this kind of traffic since Office365 can not provide good proxy authentication especially with PAC file or WCCP redirection (transparent deployment).

0 Helpful

Erland Medrano
Level 1
Level 1
In response to Handy Putra

‎10-26-2015 06:44 PM

what is the limititation of WSA? and also where in OSI layer belong the WSA?

0 Helpful

Handy Putra
Cisco Employee
Cisco Employee
In response to Erland Medrano

‎10-27-2015 11:22 PM

WSA is only performing layer 7 only. 

What sort of limitation that you are referring.

0 Helpful

Filippo Carzaniga
Level 1
Level 1

‎11-16-2016 02:46 AM

I have to create un "custom category" with this subnet and *.fqdn:

https://support.office.com/it-it/article/URLs-and-IP-address-ranges-for-Office-365-operated-by-21Vianet-5c47c07d-f9b6-4b78-a329-bfdc1b6da7a0?ui=it-IT&rs=it-IT&ad=IT

Then you have to create the Indentity with that custom-category and bypass authentication.


After you have to create NEW ACCESS POLICY to "allow" traffic "http" and NEW DECRYPTION POLICY to passthtrought the "https" traffic.

0 Helpful

hamirza
Cisco Employee
Cisco Employee
In response to Filippo Carzaniga

‎09-19-2017 06:16 PM

You can take advantage of Custom URL External Feeds feature only available in WSA 10.x onwards for Skype and Office 365, as the external feed will have the exact IPs/hosts and will be updated every configured interval, Office 365 also includes the Skype destinations as well hence this can be leveraged for Skype issues as well.

 

How to Enable Office 365(Includes Skype as well) External Feeds in AsyncOS 10.0 for Cisco Web Security

 

https://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/guide-c07-738382.pdf

 

dncl
Level 1
Level 1
In response to hamirza

‎09-26-2017 01:54 PM

Please be advised that the Office365 feed provided by Microsoft contains other sites you may not want to allow, such as:

Facebook

Youtube

mail.google.com

dropbox.com
evernote.com
 
HUGE vulnerability!!!
 
We manually export the XML into another XML that we then clean up. Very manual and time consuming... and defeats the purpose of the XML feed.

 

0 Helpful

ondjultomte
Level 1
Level 1
In response to dncl

‎09-29-2017 04:54 AM

Really ? do they add more the the absolute minimum of their own IPs? That is really bad and reduces the functionality of the function.
0 Helpful

dncl
Level 1
Level 1
In response to hamirza

‎10-04-2017 12:53 PM

Has anyone investigated this Microsoft script to generate a PAC file that will bypass WSA for Office365 traffic?

https://blogs.technet.microsoft.com/undocumentedfeatures/2015/11/16/office-365-pac-file/

A concern would be a PAC file that's 300+ lines long... Any imput there?

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents