Versions Compared

Old Version 2

changes.mady.by.user Agat Support

Saved on

compared with

New Version 9

changes.mady.by.user Meir Davis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

"^[^.]+.*.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"^[^.]+*.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"^[^.]+.*.teams.microsoft.com" - user, presence and conversations info
"^[^.]+.*.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"^[^.]+*.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications
"^[^.]+.(no longer needed for latest versions of Teams clients. Replaced by "*.trouter.teams.microsoft.com".
"*.asyncgw.teams.microsoft.com" - conversations data

"^[^.]+.*.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files

substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW). Affects Teams, SharePoint and other apps

graph.microsoft.com - Search results in SharePoint and other apps (not Teams)

"*.trouter.teams.microsoft.com" - Real time push notifications. Currently required for filtering incoming messages to managed clients. May be omitted if filtering incoming messages isn’t required.

 

Link to latest PAC version from repository: https://gitlab.com/agat-software/filter-devs/teams_protector/-/blob/efa810b60720d03c7d0cad727f53282a6c48879b/Config/PACs/pac_file.pac

Last updated 06.11.2023

Info

Version from 13.06.2023 includes a change from regular expressions to shell expressions. These are more widely supported by platforms other than Windows, including iOS.

Note that the proxy address is specified on line 5 only.

Code Block
languagejs
  
    function FindProxyForURL(url, host) {

...

// Specify your proxy here: e.g. "Proxy 11.22.33.4:80"
	var agatProxy = "PROXY <Bastion IP>:<Bastion Port>"
	
	var proxylist = new Array(
			"

...

*.sharepoint.com",
			"

...

*.sharepointonline.com",
			"teams.microsoft.com",
			"

...

*.ng.msg.teams.microsoft.com",

...

"pipe.skype.com",
			"

...

*.notifications.teams.microsoft.com",
			"

...

*.asyncgw.teams.microsoft.com",
			"

...

*.msgapi.teams.microsoft.com",
			"substrate.office.com",

...

"graph.microsoft.com",
            "*.trouter.teams.microsoft.com"
			);
			
	//One subdomain under teams
	if (shExpMatch(host, "*.teams.microsoft.com") && dnsDomainLevels(host) == 3){
		return agatProxy;
	}
	
	// Return our proxy name for matched domains/hosts
	for (var i = 0; i < proxylist.length; i++) {
		var value = proxylist[i];
		if (shExpMatch(host, value)) {
			return

...

agatProxy;
		}
	}

	return "DIRECT";
}

Archive hosts - Currently not required

"^[^.]+.userstore.skype.com", - ?
"^[^.]+.manage.microsoft.com", - ?

"^[^.]+.teams.skype.com", - ?

"^[^.]+.broker.skype.com", - ?
"^[^.]+.cc.skype.com", - ?
"^[^.]+.config.skype.com", - ?
"^[^.]+.conv.skype.com", - ?
"^[^.]+.edge.skype.com", - ?
"^[^.]+.msg.skype.com", - ?
"^[^.]+.tpc.skype.com", - ?
"^[^.]+.pipe.skype.com", - ?

"^[^.]+.skype.com", - ?

"^[^.]+.lync.com", - (maybe for skype users - can be removed)
"^[^.]+.microsoftonline.com", - (signin includs passwords - can be removed)
"secure.aadcdn.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.net", - (signin - can be removed)

"^[^.]+.windows.net", - (signin - can be removed)
"^[^.]+.pipe.aria.microsoft.com", - (MSFT analytics - can be removed)

"^[^.]+.trouter.teams.microsoft.com", - (realtime stuff - can be removed)
"^[^.]+.presence.teams.microsoft.com", - (can be removed)
"^[^.]+.data.microsoft.com", - (can be removed)
"^[^.]+.asm.skype.com", - ? (look like also signin - can be removed)

FW Proxy Certificate

The current certificate we are using is Teams7 with these alternate names:

*.hockeyapp.net
*.officeapps.live.com
officeapps.live.com
*.lync.com
*.dc.trouter.io
*.microsoftazuread-sso.com
*.microsoftonline.com
secure.aadcdn.microsoftonline-p.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.msappproxy.net
*.msecnd.net
*.office.com
*.office.net
*.office365.com
*.onenote.net
*.outlook.com
*. 

General Explanations

  • The PAC file uses shell expressions. These are more widely supported by platforms other than Windows, including iOS. Use of regexes may cause unexpected behavior.

  • The PAC file is written to catch all single level subdomains of teams.microsoft.com (e.g. config.teams.microsoft.com) but not two level subdomains (e.g. api.flightproxy.teams.microsoft.com). Exceptions to this rule are explicitly specified (e.g. *.ng.msg.teams.microsoft.com).
    Adding a catch all subdomain rule will cause undesired behavior (e.g. shExpMatch(host, "*.teams.microsoft.com")

Note that the proxy address is specified on line 5 only.

URLs to whitelist in firewalls

*.sharepoint.com
*.sharepointonline.com
*.skype.com
*.windows.net
*.pipe.aria.microsoft.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
*.trouter.teams.microsoft.com
*.presence.teams.microsoft.com
*.data.microsoft.com
*.asm.skype.com
*.broker.skype.com
*.cc.skype.com
*.config.skype.com
*.conv.skype.com
*.edge.skype.com
*.msg.skype.com
*.tpc.skype.com
*.pipe.skype.com
pipe.skype.com
*.teams.skype.com
*.notifications.teams.microsoft.com
*.userstoreasyncgw.skype.com
*.manage.teams.microsoft.com

*.sfx.ms
*.adjust.com
*.asyncgw.msgapi.teams.microsoft.com*

substrate.agatskypeoffice.net
*.vo.msecnd.net
*.telemetrycom

graph.microsoft.com

*.msftauth.net
*.msauth.net
*.msedge.net
*.msgapi.trouter.teams.microsoft.com*.substrate.office.com