"^[^.]+.sharepoint.com" - user upload / download files for DLP / AV inspection (but not for EW)
"^[^.]+.sharepointonline.com" - user upload / download files for DLP / AV inspection (but not for EW)
"teams.microsoft.com" - user login for modifying Teams client for Audio, Video, Screen share, user login.
"^[^.]+.teams.microsoft.com" - user and conversations info
"^[^.]+.ng.msg.teams.microsoft.com" - chat server for IMs and Files
"pipe.skype.com" - for Audio, Video, Screen share events
"^[^.]+.notifications.teams.microsoft.com" - for incoming IMs and Files / push notifications
"^[^.]+.asyncgw.teams.microsoft.com" - conversations data
"^[^.]+.msgapi.teams.microsoft.com" - chat server for outgoing IMs and Files
substrate.office.com - Some search results. Required to prevent users from viewing search suggestions of blocked contacts (EW)
function FindProxyForURL(url, host) { var ignorelist = new Array( "secure.aadcdn.microsoftonline-p.com", "statics.teams.microsoft.com"); var proxylist = new Array( "^[^.]+.sharepoint.com", "^[^.]+.sharepointonline.com", "teams.microsoft.com", "^[^.]+.teams.microsoft.com", "^[^.]+.ng.msg.teams.microsoft.com", "pipe.skype.com", "^[^.]+.notifications.teams.microsoft.com", "^[^.]+.asyncgw.teams.microsoft.com", "^[^.]+.agatskype.net", "^[^.]+.msgapi.teams.microsoft.com", "substrate.office.com" ); // Check if need to ignore for (var i = 0; i < ignorelist.length; i++) { var value = ignorelist[i]; if (dnsDomainIs(host, value)) { return "DIRECT"; } } // Return our proxy name for matched domains/hosts for (var i = 0; i < proxylist.length; i++) { var value = proxylist[i]; if (shExpMatch(host, value)) { return "PROXY <**** BASTION SERVER IP ****>"; } } return "DIRECT"; }
Archive hosts - Currently not required
"^[^.]+.userstore.skype.com", - ?
"^[^.]+.manage.microsoft.com", - ?
"^[^.]+.teams.skype.com", - ?
"^[^.]+.broker.skype.com", - ?
"^[^.]+.cc.skype.com", - ?
"^[^.]+.config.skype.com", - ?
"^[^.]+.conv.skype.com", - ?
"^[^.]+.edge.skype.com", - ?
"^[^.]+.msg.skype.com", - ?
"^[^.]+.tpc.skype.com", - ?
"^[^.]+.pipe.skype.com", - ?
"^[^.]+.skype.com", - ?
"^[^.]+.lync.com", - (maybe for skype users - can be removed)
"^[^.]+.microsoftonline.com", - (signin includs passwords - can be removed)
"secure.aadcdn.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.com", - (signin - can be removed)
"^[^.]+.microsoftonline-p.net", - (signin - can be removed)
"^[^.]+.windows.net", - (signin - can be removed)
"^[^.]+.pipe.aria.microsoft.com", - (MSFT analytics - can be removed)
"^[^.]+.trouter.teams.microsoft.com", - (realtime stuff - can be removed)
"^[^.]+.presence.teams.microsoft.com", - (can be removed)
"^[^.]+.data.microsoft.com", - (can be removed)
"^[^.]+.asm.skype.com", - ? (look like also signin - can be removed)
FW Proxy Certificate
The current certificate we are using is Teams7 with these alternate names:
*.hockeyapp.net
*.officeapps.live.com
officeapps.live.com
*.lync.com
*.dc.trouter.io
*.microsoftazuread-sso.com
*.microsoftonline.com
secure.aadcdn.microsoftonline-p.com
*.microsoftonline-p.com
*.microsoftonline-p.net
*.msappproxy.net
*.msecnd.net
*.office.com
*.office.net
*.office365.com
*.onenote.net
*.outlook.com
*.sharepoint.com
*.sharepointonline.com
*.skype.com
*.windows.net
*.pipe.aria.microsoft.com
teams.microsoft.com
*.teams.microsoft.com
*.ng.msg.teams.microsoft.com
*.trouter.teams.microsoft.com
*.presence.teams.microsoft.com
*.data.microsoft.com
*.asm.skype.com
*.broker.skype.com
*.cc.skype.com
*.config.skype.com
*.conv.skype.com
*.edge.skype.com
*.msg.skype.com
*.tpc.skype.com
*.pipe.skype.com
pipe.skype.com
*.teams.skype.com
*.notifications.teams.microsoft.com
*.userstore.skype.com
*.manage.microsoft.com
*.sfx.ms
*.adjust.com
*.asyncgw.teams.microsoft.com
*.agatskype.net
*.vo.msecnd.net
*.telemetry.microsoft.com
*.msftauth.net
*.msauth.net
*.msedge.net
*.msgapi.teams.microsoft.com
*.substrate.office.com