"^[^.]+.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"^[^.]+.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"^[^.]+.teams.microsoft.com" - user and conversations info
"^[^.]+.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"^[^.]+.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications (no longer needed for latest versions of Teams clients. Replaced by "^[^.]+.trouter.teams.microsoft.com".
"^[^.]+.asyncgw.teams.microsoft.com" - conversations data
"^[^.]+.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files
substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW). Affects Teams, SharePoint and other apps
graph.microsoft.com - Search results in SharePoint and other apps (not Teams) Code Block
"^[^.]+.trouter.teams.microsoft.com" - Real time push notifications. Currently required for filtering incoming messages to managed clients. May be omitted if filtering incoming messages isn’t required.
Link to latest PAC version from repository: https://gitlab.com/agat-software/filter-devs/teams_protector/-/blob/efa810b60720d03c7d0cad727f53282a6c48879b/Config/PACs/pac_file.pac
Last updated 31.5.2021
Code Block |
---|
function FindProxyForURL(url, host) { var ignorelist = new Array( "secure.aadcdn.microsoftonline-p.com", "statics.teams.microsoft.com"); var proxylist = new Array( "^[^.]+.sharepoint.com", "^[^.]+.sharepointonline.com", "teams.microsoft.com", "^[^.]+.teams.microsoft.com", "^[^.]+.ng.msg.teams.microsoft.com", "pipe.skype.com", "^[^.]+.notifications.teams.microsoft.com", "^[^.]+.asyncgw.teams.microsoft.com", "^[^.]+.agatskype.net", "^[^.]+.msgapi.teams.microsoft.com", "substrate.office.com", "graph.microsoft.com", "^[^.]+.trouter.teams.microsoft.com" ); // Check if need to ignore for (var i = 0; i < ignorelist.length; i++) { var value = ignorelist[i]; if (dnsDomainIs(host, value)) { return "DIRECT"; } } // Return our proxy name for matched domains/hosts for (var i = 0; i < proxylist.length; i++) { var value = proxylist[i]; if (shExpMatch(host, value)) { return "PROXY <**** BASTION SERVER IP ****>"; } } return "DIRECT"; } |
Archive hosts - Currently not required
"^[^.]+.userstore.skype.com", - ?
"^[^.]+.manage.microsoft.com", - ?
"^[^.]+.teams.skype.com", - ?
"^[^.]+.broker.skype.com", - ?
"^[^.]+.cc.skype.com", - ?
"^[^.]+.config.skype.com", - ?
"^[^.]+.conv.skype.com", - ?
"^[^.]+.edge.skype.com", - ?
"^[^.]+.msg.skype.com", - ?
"^[^.]+.tpc.skype.com", - ?
"^[^.]+.pipe.skype.com", - ?
"^[^.]+.skype.com", - ?
"^[^.]+.lync.com", - (maybe for skype users - can be removed)
"^[^.]+.microsoftonline.com", - (signin includs passwords - can be removed)
"secure.aadcdn.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.net", - (signin - can be removed)
"^[^.]+.windows.net", - (signin - can be removed)
"^[^.]+.pipe.aria.microsoft.com", - (MSFT analytics - can be removed)
"^[^.]+.trouter.teams.microsoft.com", - (realtime stuff - can be removed)
"^[^.]+.presence.teams.microsoft.com", - (can be removed)
"^[^.]+.data.microsoft.com", - (can be removed)
"^[^.]+.asm.skype.com", - ? (look like also signin - can be removed)
FW Proxy Certificate
The current certificate we are using is Teams7 with these alternate names:
*.hockeyapp.net
*.officeapps.live.com
officeapps.live.com
*.lync.com
*.dc.trouter.io
*.microsoftazuread-sso.com
*.microsoftonline.com
secure.aadcdn.microsoftonline-p.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.msappproxy.net
*.msecnd.net
*.office.com
*.office.net
*.office365.com
*.onenote.net
*.outlook.com
URLs to whitelist in firewalls
*.sharepoint.com
*.sharepointonline.com
*.skype.com
*.windows.net
*.pipe.aria.microsoft.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
*.trouter.teams.microsoft.com
*.presence.teams.microsoft.com
*.data.microsoft.com
*.asm.skype.com
*.broker.skype.com
*.cc.skype.com
*.config.skype.com
*.conv.skype.com
*.edge.skype.com
*.msg.skype.com
*.tpc.skype.com
*.pipe.skype.com
pipe.skype.com
*.teams.skype.com
*.notifications.teams.microsoft.com
*.userstore.skype.com
*.manageasyncgw.teams.microsoft.com
*.sfx.ms
*.adjust.com
*.asyncgw.msgapi.teams.microsoft.com*.agatskype.net
*.vo.msecnd.net
*.telemetry.microsoft.com
*.msftauth.net
*.msauth.net
*.msedge.net
*.msgapi.teams.microsoft.com
*.substrate.officesubstrate.office.com