"^[^.]+.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"^[^.]+.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"^[^.]+.teams.microsoft.com" - user and conversations info
"^[^.]+.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"^[^.]+.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications
"^[^.]+.asyncgw.teams.microsoft.com" - conversations data
"^[^.]+.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files
substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW)
function FindProxyForURL(url, host) {
var ignorelist = new Array(
"secure.aadcdn.microsoftonline-p.com",
"statics.teams.microsoft.com");
var proxylist = new Array(
"^[^.]+.sharepoint.com",
"^[^.]+.sharepointonline.com",
"teams.microsoft.com",
"^[^.]+.teams.microsoft.com",
"^[^.]+.ng.msg.teams.microsoft.com",
"pipe.skype.com",
"^[^.]+.notifications.teams.microsoft.com",
"^[^.]+.asyncgw.teams.microsoft.com",
"^[^.]+.agatskype.net",
"^[^.]+.msgapi.teams.microsoft.com",
"substrate.office.com"
);
// Check if need to ignore
for (var i = 0; i < ignorelist.length; i++) {
var value = ignorelist[i];
if (dnsDomainIs(host, value)) {
return "DIRECT";
}
}
// Return our proxy name for matched domains/hosts
for (var i = 0; i < proxylist.length; i++) {
var value = proxylist[i];
if (shExpMatch(host, value)) {
return "PROXY <**** BASTION SERVER IP ****>";
}
}
return "DIRECT";
}
Archive hosts - Currently not required
"^[^.]+.userstore.skype.com", - ?
"^[^.]+.manage.microsoft.com", - ?
"^[^.]+.teams.skype.com", - ?
"^[^.]+.broker.skype.com", - ?
"^[^.]+.cc.skype.com", - ?
"^[^.]+.config.skype.com", - ?
"^[^.]+.conv.skype.com", - ?
"^[^.]+.edge.skype.com", - ?
"^[^.]+.msg.skype.com", - ?
"^[^.]+.tpc.skype.com", - ?
"^[^.]+.pipe.skype.com", - ?
"^[^.]+.skype.com", - ?
"^[^.]+.lync.com", - (maybe for skype users - can be removed)
"^[^.]+.microsoftonline.com", - (signin includs passwords - can be removed)
"secure.aadcdn.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.net", - (signin - can be removed)
"^[^.]+.windows.net", - (signin - can be removed)
"^[^.]+.pipe.aria.microsoft.com", - (MSFT analytics - can be removed)
"^[^.]+.trouter.teams.microsoft.com", - (realtime stuff - can be removed)
"^[^.]+.presence.teams.microsoft.com", - (can be removed)
"^[^.]+.data.microsoft.com", - (can be removed)
"^[^.]+.asm.skype.com", - ? (look like also signin - can be removed)
FW Proxy Certificate
The current certificate we are using is Teams7 with these alternate names:
*.hockeyapp.net
*.officeapps.live.com
officeapps.live.com
*.lync.com
*.dc.trouter.io
*.microsoftazuread-sso.com
*.microsoftonline.com
secure.aadcdn.microsoftonline-p.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.msappproxy.net
*.msecnd.net
*.office.com
*.office.net
*.office365.com
*.onenote.net
*.outlook.com
*.sharepoint.com
*.sharepointonline.com
*.skype.com
*.windows.net
*.pipe.aria.microsoft.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
*.trouter.teams.microsoft.com
*.presence.teams.microsoft.com
*.data.microsoft.com
*.asm.skype.com
*.broker.skype.com
*.cc.skype.com
*.config.skype.com
*.conv.skype.com
*.edge.skype.com
*.msg.skype.com
*.tpc.skype.com
*.pipe.skype.com
pipe.skype.com
*.teams.skype.com
*.notifications.teams.microsoft.com
*.userstore.skype.com
*.manage.microsoft.com
*.sfx.ms
*.adjust.com
*.asyncgw.teams.microsoft.com
*.agatskype.net
*.vo.msecnd.net
*.telemetry.microsoft.com
*.msftauth.net
*.msauth.net
*.msedge.net
*.msgapi.teams.microsoft.com
*.substrate.office.com